Re: Verify x509 certificate - Openssl

This is a discussion on Re: Verify x509 certificate - Openssl ; I'm not sure you solved that. This works just because your certificate chain will have only 1 certificate so no signature verification is done. kr, Eugen Sendroiu ----- Original Message ---- From: .:: Francesco la Torre ::. To: openssl-users@openssl.org Sent: ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Verify x509 certificate

  1. Re: Verify x509 certificate




    I'm not sure you solved that. This works just because your certificate chain will have only 1 certificate so no signature verification is done.


    kr,

    Eugen Sendroiu



    ----- Original Message ----
    From: .:: Francesco la Torre ::.
    To: openssl-users@openssl.org
    Sent: Saturday, August 2, 2008 5:16:10 PM
    Subject: Re: Verify x509 certificate

    Solved !

    I forgot to call SSLeay_add_all_algorithms();
    .... a summer youthful folly :-)

    Flt


    Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::.
    ha scritto:
    > On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote:
    > > The verify(1ssl) man page has descriptions of these error codes. 7 is
    > > "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure",
    > > which is described as: the signature of the certificate is invalid.
    > >
    > > I would presume that this is because the signature cannot be verified
    > > with the public key that it's said to be verifiable with -- i.e., the
    > > data in one of the certificates has been modified since it was signed
    > > (and thus, the signature has been invalidated).
    > >

    >
    > You're true, but I used the "stange" abjective because if I try to
    > verify the certificate from command line
    >
    > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
    >
    > The output is :
    >
    > cert.pem: OK
    >
    > so both certificates are valid.
    >
    > Regards,
    > Flt
    >
    > > -Kyle H
    > >
    > > On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
    > > wrote:
    > > > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::. wrote:
    > > >
    > > > One mistake is here even if there were not compilation error
    > > >
    > > >> and also add this line to the main
    > > >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
    > > >>
    > > >
    > > > the correct code block is :
    > > >
    > > > ...
    > > > /* load CA cert store */
    > > > if (!(CAcerts = X509_STORE_new())) {
    > > > printf ("\nError1\n");
    > > > }
    > > > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
    > > > ...
    > > >
    > > >
    > > >
    > > >> but the result is always the same :
    > > >>
    > > >
    > > > Not always the boring "Verification error: certificate signature
    > > > failure"
    > > >
    > > > But a new strange error :
    > > >
    > > >
    > > > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
    > > > error 7 at 1 depth lookup:certificate signature failure
    > > > Verification error: 0
    > > >
    > > >
    > > > I've tried to find any kind of reference for this kind of error but
    > > > google returns not a very good help.
    > > >
    > > > In various forum/mailing list this is _classified_ as *quite strange*
    > > > error ... is it possible ?
    > > >
    > > > Thanks in advance,
    > > > Flt
    > > >
    > > >
    > > > __________________________________________________ ____________________
    > > > OpenSSL Project http://www.openssl.org
    > > > User Support Mailing List openssl-users@openssl.org
    > > > Automated List Manager majordomo@openssl.org
    > > >

    > > __________________________________________________ ____________________
    > > OpenSSL Project http://www.openssl.org
    > > User Support Mailing List openssl-users@openssl.org
    > > Automated List Manager majordomo@openssl.org

    >
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org





  2. Re: Verify x509 certificate

    it seems to work good because if I try to change a character in array
    containing the cert, the verification process fails. However next days
    I'll try to load an untrusted chain and verify better, now instead I'm
    preparing problems for the next post :-)

    thanks
    Flt


    Il giorno sab, 02/08/2008 alle 18.57 -0700, Sendroiu Eugen ha scritto:
    >
    >
    > I'm not sure you solved that. This works just because your certificate
    > chain will have only 1 certificate so no signature verification is
    > done.
    >
    > kr,
    >
    > Eugen Sendroiu
    >
    >
    > ----- Original Message ----
    > From: .:: Francesco la Torre ::.
    >
    > To: openssl-users@openssl.org
    > Sent: Saturday, August 2, 2008 5:16:10 PM
    > Subject: Re: Verify x509 certificate
    >
    > Solved !
    >
    > I forgot to call SSLeay_add_all_algorithms();
    > ... a summer youthful folly :-)
    >
    > Flt
    >
    >
    > Il giorno sab, 02/08/2008 alle 11.43 +0200, .:: Francesco la Torre ::.
    > ha scritto:
    > > On sab, 2008-08-02 at 02:04 -0700, Kyle Hamilton wrote:
    > > > The verify(1ssl) man page has descriptions of these error codes.

    > 7 is
    > > > "X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature

    > failure",
    > > > which is described as: the signature of the certificate is

    > invalid.
    > > >
    > > > I would presume that this is because the signature cannot be

    > verified
    > > > with the public key that it's said to be verifiable with -- i.e.,

    > the
    > > > data in one of the certificates has been modified since it was

    > signed
    > > > (and thus, the signature has been invalidated).
    > > >

    > >
    > > You're true, but I used the "stange" abjective because if I try to
    > > verify the certificate from command line
    > >
    > > openssl verify -CAfile /home/frank/test/test-CA/calist.pem cert.pem
    > >
    > > The output is :
    > >
    > > cert.pem: OK
    > >
    > > so both certificates are valid.
    > >
    > > Regards,
    > > Flt
    > >
    > > > -Kyle H
    > > >
    > > > On Fri, Aug 1, 2008 at 5:15 PM, .:: Francesco la Torre ::.
    > > > wrote:
    > > > > On sab, 2008-08-02 at 00:21 +0200, .:: Francesco la Torre ::.

    > wrote:
    > > > >
    > > > > One mistake is here even if there were not compilation error
    > > > >
    > > > >> and also add this line to the main
    > > > >> X509_STORE_set_verify_cb_func(&ca_ctx,cb);
    > > > >>
    > > > >
    > > > > the correct code block is :
    > > > >
    > > > > ...
    > > > > /* load CA cert store */
    > > > > if (!(CAcerts = X509_STORE_new())) {
    > > > > printf ("\nError1\n");
    > > > > }
    > > > > ---> X509_STORE_set_verify_cb_func(CAcerts,cb);
    > > > > ...
    > > > >
    > > > >
    > > > >
    > > > >> but the result is always the same :
    > > > >>
    > > > >
    > > > > Not always the boring "Verification error: certificate signature
    > > > > failure"
    > > > >
    > > > > But a new strange error :
    > > > >
    > > > >
    > > >

    > > /C=IT/ST=Italy/O=IIT-CNR/OU=lab18/CN=ubuntu-ser/emailAddress=frank@timpet.it
    > > > > error 7 at 1 depth lookup:certificate signature failure
    > > > > Verification error: 0
    > > > >
    > > > >
    > > > > I've tried to find any kind of reference for this kind of error

    > but
    > > > > google returns not a very good help.
    > > > >
    > > > > In various forum/mailing list this is _classified_ as *quite

    > strange*
    > > > > error ... is it possible ?
    > > > >
    > > > > Thanks in advance,
    > > > > Flt
    > > > >
    > > > >
    > > > >

    > __________________________________________________ ____________________
    > > > > OpenSSL Project

    > http://www.openssl.org
    > > > > User Support Mailing List

    > openssl-users@openssl.org
    > > > > Automated List Manager

    > majordomo@openssl.org
    > > > >
    > > >

    > __________________________________________________ ____________________
    > > > OpenSSL Project

    > http://www.openssl.org
    > > > User Support Mailing List

    > openssl-users@openssl.org
    > > > Automated List Manager

    > majordomo@openssl.org
    > >
    > >

    > __________________________________________________ ____________________
    > > OpenSSL Project

    > http://www.openssl.org
    > > User Support Mailing List

    > openssl-users@openssl.org
    > > Automated List Manager

    > majordomo@openssl.org
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread