Re: Verify x509 certificate - Openssl

This is a discussion on Re: Verify x509 certificate - Openssl ; It would be helpful if we could see the certificate. My guess is that either your cert is self signed, in which case you need to treat this case in your callback, or the certificate you are trying to verify ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Re: Verify x509 certificate

  1. Re: Verify x509 certificate


    It would be helpful if we could see the certificate. My guess is that either your cert is self signed, in which case you need to treat this case in your callback, or the certificate you are trying to verify is not signed by the trust anchor that you provide. Also you must be careful which text editor you are using because some may replace spaces with their owns ( eg CRLF - CR or LF ) in the root_cert_data declaration, and that might spoil the signature.

    Cheers.



    ----- Original Message ----
    From: .:: Francesco la Torre ::.
    To: openssl-users@openssl.org
    Sent: Friday, August 1, 2008 8:02:44 PM
    Subject: Re: Verify x509 certificate

    Any help from someone ?
    :-)
    Flt


    Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
    scritto:
    > Dear all,
    > I'm new in openssl api and I'm trying to write e simple application to
    > verify an x509 certificate but I'm facing with some strange problem.
    >
    > Here there is a snapshot of my code to use to replicate my scenario :
    >
    > #include
    > #include
    > #include
    > #include
    > #include
    > #include
    > #include
    >
    > const char root_cert_data[] =
    > "-----BEGIN CERTIFICATE-----\n\
    > MIIDQjCCAqugAwIBAg ... Rinw==\n\
    > -----END CERTIFICATE-----\n";
    >
    > int main(int argc, char **argv){
    >
    > FILE *fp;
    > X509 *root_cert;
    >
    > X509_STORE *CAcerts;
    > X509 * cert;
    >
    > X509_STORE_CTX ca_ctx;
    > char *strerr;
    > BIO *bio;
    >
    > STACK_OF(X509) *trusted_chain;
    >
    > trusted_chain = sk_X509_new_null();
    >
    > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
    > printf("BIO_new_mem_buf\n");
    > exit(1);
    > }
    > BIO_set_close(bio, BIO_NOCLOSE);
    > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
    > printf("PEM_read_bio_X509 (root)\n");
    > ERR_print_errors_fp(stdout);
    > exit(1);
    > }
    >
    > sk_X509_push(trusted_chain, root_cert);
    > /* load CA cert store */
    > if (!(CAcerts = X509_STORE_new())) {
    > printf ("\nError1\n");
    > }
    >
    > if (X509_STORE_load_locations(CAcerts,
    > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
    > printf ("\nError2\n");
    > }
    > if (X509_STORE_set_default_paths(CAcerts) != 1) {
    > printf ("\nError3\n");
    > }
    >
    > /* load X509 certificate */
    > if (!(fp = fopen ("cert.pem", "r"))){
    > printf ("\nError4\n");
    > }
    > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
    > printf ("\nError5\n");
    > }
    >
    > /* verify */
    > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) != 1)
    > {
    > printf ("\nError6\n");
    > }
    >
    > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
    >
    > if (X509_verify_cert(&ca_ctx) != 1) {
    > strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
    > printf("Verification error: %s", strerr);
    > }
    >
    > X509_STORE_free(CAcerts);
    > X509_free(cert);
    >
    > return 0;
    > }
    >
    > obviously root_cert_data[] and cert.pem have to be replaced with your
    > certs.
    > Compilated as
    >
    > gcc -Wall x509.c -o x509 -lssl -lcrypto
    >
    > after execution I receive this error :
    >
    > Verification error: certificate signature failure
    >
    > Even if I try to verify my certificate by mean command line tool
    >
    > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
    >
    > The output is :
    >
    > cert.pem: OK
    >
    > Does anybody know where is the problem ?
    >
    > Thanks in advance,
    > Francesco la Torre
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org





  2. Re: Verify x509 certificate

    On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote:
    >

    Hi Sendroiu,

    > It would be helpful if we could see the certificate.


    I did not report all certificate to allow you to replicate my code with
    your how certificate/calist.

    > My guess is that either your cert is self signed,


    Yes, it's self signed.

    > in which case you need to treat this case in your callback,


    I have no idea how to do this. Have I to set any flag/field in the
    context ?

    > or the certificate you are trying to verify is not signed by the trust
    > anchor that you provide. Also you must be careful which text editor
    > you are using because some may replace spaces with their owns ( eg
    > CRLF - CR or LF ) in the root_cert_data declaration, and that might
    > spoil the signature.


    I'll check also this :-)
    >
    > Cheers.


    Thank you very much !

    Flt
    >
    > ----- Original Message ----
    > From: .:: Francesco la Torre ::.
    >
    > To: openssl-users@openssl.org
    > Sent: Friday, August 1, 2008 8:02:44 PM
    > Subject: Re: Verify x509 certificate
    >
    > Any help from someone ?
    > :-)
    > Flt
    >
    >
    > Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
    > scritto:
    > > Dear all,
    > > I'm new in openssl api and I'm trying to write e simple application

    > to
    > > verify an x509 certificate but I'm facing with some strange problem.
    > >
    > > Here there is a snapshot of my code to use to replicate my

    > scenario :
    > >
    > > #include
    > > #include
    > > #include
    > > #include
    > > #include
    > > #include
    > > #include
    > >
    > > const char root_cert_data[] =
    > > "-----BEGIN CERTIFICATE-----\n\
    > > MIIDQjCCAqugAwIBAg ... Rinw==\n\
    > > -----END CERTIFICATE-----\n";
    > >
    > > int main(int argc, char **argv){
    > >
    > > FILE *fp;
    > > X509 *root_cert;
    > >
    > > X509_STORE *CAcerts;
    > > X509 * cert;
    > >
    > > X509_STORE_CTX ca_ctx;
    > > char *strerr;
    > > BIO *bio;
    > >
    > > STACK_OF(X509) *trusted_chain;
    > >
    > > trusted_chain = sk_X509_new_null();
    > >
    > > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
    > > printf("BIO_new_mem_buf\n");
    > > exit(1);
    > > }
    > > BIO_set_close(bio, BIO_NOCLOSE);
    > > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
    > > printf("PEM_read_bio_X509 (root)\n");
    > > ERR_print_errors_fp(stdout);
    > > exit(1);
    > > }
    > >
    > > sk_X509_push(trusted_chain, root_cert);
    > > /* load CA cert store */
    > > if (!(CAcerts = X509_STORE_new())) {
    > > printf ("\nError1\n");
    > > }
    > >
    > > if (X509_STORE_load_locations(CAcerts,
    > > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
    > > printf ("\nError2\n");
    > > }
    > > if (X509_STORE_set_default_paths(CAcerts) != 1) {
    > > printf ("\nError3\n");
    > > }
    > >
    > > /* load X509 certificate */
    > > if (!(fp = fopen ("cert.pem", "r"))){
    > > printf ("\nError4\n");
    > > }
    > > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
    > > printf ("\nError5\n");
    > > }
    > >
    > > /* verify */
    > > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) !=

    > 1)
    > > {
    > > printf ("\nError6\n");
    > > }
    > >
    > > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
    > >
    > > if (X509_verify_cert(&ca_ctx) != 1) {
    > > strerr = (char *)

    > X509_verify_cert_error_string(ca_ctx.error);
    > > printf("Verification error: %s", strerr);
    > > }
    > >
    > > X509_STORE_free(CAcerts);
    > > X509_free(cert);
    > >
    > > return 0;
    > > }
    > >
    > > obviously root_cert_data[] and cert.pem have to be replaced with

    > your
    > > certs.
    > > Compilated as
    > >
    > > gcc -Wall x509.c -o x509 -lssl -lcrypto
    > >
    > > after execution I receive this error :
    > >
    > > Verification error: certificate signature failure
    > >
    > > Even if I try to verify my certificate by mean command line tool
    > >
    > > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
    > >
    > > The output is :
    > >
    > > cert.pem: OK
    > >
    > > Does anybody know where is the problem ?
    > >
    > > Thanks in advance,
    > > Francesco la Torre
    > >

    > __________________________________________________ ____________________
    > > OpenSSL Project

    > http://www.openssl.org
    > > User Support Mailing List

    > openssl-users@openssl.org
    > > Automated List Manager

    > majordomo@openssl.org
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: Verify x509 certificate

    self reply :-)

    I've added a callback function like this

    static int cb(int ok, X509_STORE_CTX *ctx){
    char buf[256];

    X509_NAME_oneline(
    X509_get_subject_name(ctx->current_cert),buf,256);
    printf("%s\n",buf);
    printf("error %d at %d depth lookup:%s\n",ctx->error,
    ctx->error_depth,
    X509_verify_cert_error_string(ctx->error));

    /* Continue even if self signed */
    if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;

    ERR_clear_error();

    return(ok);
    }

    and also add this line to the main

    X509_STORE_set_verify_cb_func(&ca_ctx,cb);

    but the result is always the same :

    Verification error: certificate signature failure

    where are my mistakes ?

    Thanks
    Flt

    On ven, 2008-08-01 at 23:58 +0200, .:: Francesco la Torre ::. wrote:
    > On ven, 2008-08-01 at 11:21 -0700, Sendroiu Eugen wrote:
    > >

    > Hi Sendroiu,
    >
    > > It would be helpful if we could see the certificate.

    >
    > I did not report all certificate to allow you to replicate my code with
    > your how certificate/calist.
    >
    > > My guess is that either your cert is self signed,

    >
    > Yes, it's self signed.
    >
    > > in which case you need to treat this case in your callback,

    >
    > I have no idea how to do this. Have I to set any flag/field in the
    > context ?
    >
    > > or the certificate you are trying to verify is not signed by the trust
    > > anchor that you provide. Also you must be careful which text editor
    > > you are using because some may replace spaces with their owns ( eg
    > > CRLF - CR or LF ) in the root_cert_data declaration, and that might
    > > spoil the signature.

    >
    > I'll check also this :-)
    > >
    > > Cheers.

    >
    > Thank you very much !
    >
    > Flt
    > >
    > > ----- Original Message ----
    > > From: .:: Francesco la Torre ::.
    > >
    > > To: openssl-users@openssl.org
    > > Sent: Friday, August 1, 2008 8:02:44 PM
    > > Subject: Re: Verify x509 certificate
    > >
    > > Any help from someone ?
    > > :-)
    > > Flt
    > >
    > >
    > > Il giorno mer, 30/07/2008 alle 23.57 +0200, Francesco la Torre ha
    > > scritto:
    > > > Dear all,
    > > > I'm new in openssl api and I'm trying to write e simple application

    > > to
    > > > verify an x509 certificate but I'm facing with some strange problem.
    > > >
    > > > Here there is a snapshot of my code to use to replicate my

    > > scenario :
    > > >
    > > > #include
    > > > #include
    > > > #include
    > > > #include
    > > > #include
    > > > #include
    > > > #include
    > > >
    > > > const char root_cert_data[] =
    > > > "-----BEGIN CERTIFICATE-----\n\
    > > > MIIDQjCCAqugAwIBAg ... Rinw==\n\
    > > > -----END CERTIFICATE-----\n";
    > > >
    > > > int main(int argc, char **argv){
    > > >
    > > > FILE *fp;
    > > > X509 *root_cert;
    > > >
    > > > X509_STORE *CAcerts;
    > > > X509 * cert;
    > > >
    > > > X509_STORE_CTX ca_ctx;
    > > > char *strerr;
    > > > BIO *bio;
    > > >
    > > > STACK_OF(X509) *trusted_chain;
    > > >
    > > > trusted_chain = sk_X509_new_null();
    > > >
    > > > if (!(bio = BIO_new_mem_buf((void *) root_cert_data, -1))) {
    > > > printf("BIO_new_mem_buf\n");
    > > > exit(1);
    > > > }
    > > > BIO_set_close(bio, BIO_NOCLOSE);
    > > > if (!(root_cert = PEM_read_bio_X509(bio, 0, 0, 0))) {
    > > > printf("PEM_read_bio_X509 (root)\n");
    > > > ERR_print_errors_fp(stdout);
    > > > exit(1);
    > > > }
    > > >
    > > > sk_X509_push(trusted_chain, root_cert);
    > > > /* load CA cert store */
    > > > if (!(CAcerts = X509_STORE_new())) {
    > > > printf ("\nError1\n");
    > > > }
    > > >
    > > > if (X509_STORE_load_locations(CAcerts,
    > > > "/home/frank/test/test-CA/calist.pem" , NULL ) != 1) {
    > > > printf ("\nError2\n");
    > > > }
    > > > if (X509_STORE_set_default_paths(CAcerts) != 1) {
    > > > printf ("\nError3\n");
    > > > }
    > > >
    > > > /* load X509 certificate */
    > > > if (!(fp = fopen ("cert.pem", "r"))){
    > > > printf ("\nError4\n");
    > > > }
    > > > if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
    > > > printf ("\nError5\n");
    > > > }
    > > >
    > > > /* verify */
    > > > if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, trusted_chain) !=

    > > 1)
    > > > {
    > > > printf ("\nError6\n");
    > > > }
    > > >
    > > > X509_STORE_CTX_trusted_stack(&ca_ctx, trusted_chain);
    > > >
    > > > if (X509_verify_cert(&ca_ctx) != 1) {
    > > > strerr = (char *)

    > > X509_verify_cert_error_string(ca_ctx.error);
    > > > printf("Verification error: %s", strerr);
    > > > }
    > > >
    > > > X509_STORE_free(CAcerts);
    > > > X509_free(cert);
    > > >
    > > > return 0;
    > > > }
    > > >
    > > > obviously root_cert_data[] and cert.pem have to be replaced with

    > > your
    > > > certs.
    > > > Compilated as
    > > >
    > > > gcc -Wall x509.c -o x509 -lssl -lcrypto
    > > >
    > > > after execution I receive this error :
    > > >
    > > > Verification error: certificate signature failure
    > > >
    > > > Even if I try to verify my certificate by mean command line tool
    > > >
    > > > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
    > > >
    > > > The output is :
    > > >
    > > > cert.pem: OK
    > > >
    > > > Does anybody know where is the problem ?
    > > >
    > > > Thanks in advance,
    > > > Francesco la Torre
    > > >

    > > __________________________________________________ ____________________
    > > > OpenSSL Project

    > > http://www.openssl.org
    > > > User Support Mailing List

    > > openssl-users@openssl.org
    > > > Automated List Manager

    > > majordomo@openssl.org
    > > __________________________________________________ ____________________
    > > OpenSSL Project http://www.openssl.org
    > > User Support Mailing List openssl-users@openssl.org
    > > Automated List Manager majordomo@openssl.org
    > >
    > >

    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. Re: Verify x509 certificate

    On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
    > self reply :-)
    >
    > I've added a callback function like this
    >
    > static int cb(int ok, X509_STORE_CTX *ctx){
    > char buf[256];
    >
    > X509_NAME_oneline(
    > X509_get_subject_name(ctx->current_cert),buf,256);
    > printf("%s\n",buf);
    > printf("error %d at %d depth lookup:%s\n",ctx->error,
    > ctx->error_depth,
    > X509_verify_cert_error_string(ctx->error));
    >
    > /* Continue even if self signed */
    > if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
    >
    > ERR_clear_error();
    >
    > return(ok);
    > }
    >


    One mistake is here even if there were not compilation error

    > and also add this line to the main
    > X509_STORE_set_verify_cb_func(&ca_ctx,cb);
    >


    the correct code block is :

    ....
    /* load CA cert store */
    if (!(CAcerts = X509_STORE_new())) {
    printf ("\nError1\n");
    }
    ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
    ....



    > but the result is always the same :
    >


    Not always the boring "Verification error: certificate signature
    failure"

    But a new strange error :


    /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
    error 7 at 1 depth lookup:certificate signature failure
    Verification error: 0


    I've tried to find any kind of reference for this kind of error but
    google returns not a very good help.

    In various forum/mailing list this is _classified_ as *quite strange*
    error ... is it possible ?

    Thanks in advance,
    Flt


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: Verify x509 certificate

    The verify(1ssl) man page has descriptions of these error codes. 7 is
    "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure",
    which is described as: the signature of the certificate is invalid.

    I would presume that this is because the signature cannot be verified
    with the public key that it's said to be verifiable with -- i.e., the
    data in one of the certificates has been modified since it was signed
    (and thus, the signature has been invalidated).

    -Kyle H

    On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
    wrote:
    > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
    >
    > One mistake is here even if there were not compilation error
    >
    >> and also add this line to the main
    >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
    >>

    >
    > the correct code block is :
    >
    > ...
    > /* load CA cert store */
    > if (!(CAcerts = X509_STORE_new())) {
    > printf ("\nError1\n");
    > }
    > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
    > ...
    >
    >
    >
    >> but the result is always the same :
    >>

    >
    > Not always the boring "Verification error: certificate signature
    > failure"
    >
    > But a new strange error :
    >
    >
    > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
    > error 7 at 1 depth lookup:certificate signature failure
    > Verification error: 0
    >
    >
    > I've tried to find any kind of reference for this kind of error but
    > google returns not a very good help.
    >
    > In various forum/mailing list this is _classified_ as *quite strange*
    > error ... is it possible ?
    >
    > Thanks in advance,
    > Flt
    >
    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  6. Re: Verify x509 certificate

    On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote:
    > The verify(1ssl) man page has descriptions of these error codes. 7 is
    > "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure",
    > which is described as: the signature of the certificate is invalid.
    >
    > I would presume that this is because the signature cannot be verified
    > with the public key that it's said to be verifiable with -- i.e., the
    > data in one of the certificates has been modified since it was signed
    > (and thus, the signature has been invalidated).
    >


    You're true, but I used the "stange" abjective because if I try to
    verify the certificate from command line

    openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem

    The output is :

    cert.pem: OK

    so both certificates are valid.

    Regards,
    Flt

    > -Kyle H
    >
    > On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
    > wrote:
    > > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
    > >
    > > One mistake is here even if there were not compilation error
    > >
    > >> and also add this line to the main
    > >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
    > >>

    > >
    > > the correct code block is :
    > >
    > > ...
    > > /* load CA cert store */
    > > if (!(CAcerts = X509_STORE_new())) {
    > > printf ("\nError1\n");
    > > }
    > > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
    > > ...
    > >
    > >
    > >
    > >> but the result is always the same :
    > >>

    > >
    > > Not always the boring "Verification error: certificate signature
    > > failure"
    > >
    > > But a new strange error :
    > >
    > >
    > > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
    > > error 7 at 1 depth lookup:certificate signature failure
    > > Verification error: 0
    > >
    > >
    > > I've tried to find any kind of reference for this kind of error but
    > > google returns not a very good help.
    > >
    > > In various forum/mailing list this is _classified_ as *quite strange*
    > > error ... is it possible ?
    > >
    > > Thanks in advance,
    > > Flt
    > >
    > >
    > > __________________________________________________ ____________________
    > > OpenSSL Project http://www.openssl.org
    > > User Support Mailing List openssl-users@openssl.org
    > > Automated List Manager majordomo@openssl.org
    > >

    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  7. Re: Verify x509 certificate

    Solved !

    I forgot to call SSLeay_add_all_algorithms();
    .... a summer youthful folly :-)

    Flt


    Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::.
    ha scritto:
    > On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote:
    > > The verify(1ssl) man page has descriptions of these error codes. 7 is
    > > "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure",
    > > which is described as: the signature of the certificate is invalid.
    > >
    > > I would presume that this is because the signature cannot be verified
    > > with the public key that it's said to be verifiable with -- i.e., the
    > > data in one of the certificates has been modified since it was signed
    > > (and thus, the signature has been invalidated).
    > >

    >
    > You're true, but I used the "stange" abjective because if I try to
    > verify the certificate from command line
    >
    > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
    >
    > The output is :
    >
    > cert.pem: OK
    >
    > so both certificates are valid.
    >
    > Regards,
    > Flt
    >
    > > -Kyle H
    > >
    > > On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
    > > wrote:
    > > > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
    > > >
    > > > One mistake is here even if there were not compilation error
    > > >
    > > >> and also add this line to the main
    > > >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
    > > >>
    > > >
    > > > the correct code block is :
    > > >
    > > > ...
    > > > /* load CA cert store */
    > > > if (!(CAcerts = X509_STORE_new())) {
    > > > printf ("\nError1\n");
    > > > }
    > > > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
    > > > ...
    > > >
    > > >
    > > >
    > > >> but the result is always the same :
    > > >>
    > > >
    > > > Not always the boring "Verification error: certificate signature
    > > > failure"
    > > >
    > > > But a new strange error :
    > > >
    > > >
    > > > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
    > > > error 7 at 1 depth lookup:certificate signature failure
    > > > Verification error: 0
    > > >
    > > >
    > > > I've tried to find any kind of reference for this kind of error but
    > > > google returns not a very good help.
    > > >
    > > > In various forum/mailing list this is _classified_ as *quite strange*
    > > > error ... is it possible ?
    > > >
    > > > Thanks in advance,
    > > > Flt
    > > >
    > > >
    > > > __________________________________________________ ____________________
    > > > OpenSSL Project http://www.openssl.org
    > > > User Support Mailing List openssl-users@openssl.org
    > > > Automated List Manager majordomo@openssl.org
    > > >

    > > __________________________________________________ ____________________
    > > OpenSSL Project http://www.openssl.org
    > > User Support Mailing List openssl-users@openssl.org
    > > Automated List Manager majordomo@openssl.org

    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread