[openssl-users] Certificate Chain Verify Error

Nicholas Mainardi mainardinicholas at gmail.com
Mon Feb 1 12:53:37 UTC 2016


Hi Frank,

Now it's properly working! I was not aware I have to call that function to
use OpenSSL algorithms. Thank You very much :)

Cheers,

Nicholas

2016-02-01 13:30 GMT+01:00 Frank Migge <fm at frank4dd.com>:

> Hi Nicholas,
>
> Not calling OpenSSL_add_all_algorithms();  at the beginning could cause
> it?
>
> Cheers,
> Frank
>
> Nicholas Mainardi <mainardinicholas at gmail.com>
> Monday, February 01, 2016 8:57 PM
> I wrote this small program which takes as input X509 certificates,
> base64-encoded, parse them and build a certificate chain, which is
> eventually verified by x509_Verify_cert(). The last certificate is added
> to the trusted store if it's self-signed, in order to avoid OpenSSL policy
> about self.signed certificates, as it's recommended in this post
> <https://zakird.com/2013/10/13/certificate-parsing-with-openssl/>. The
> code is at this pastebin link <http://pastebin.com/2N2DSxbe>.
>
> However, when I run this with a correct certificate chain (Facebook one,
> already tested with other libraries), I got error 7, certificate signature
> validation, at depth 1. The certificate chain is composed by server
> certificate, CA certificate and a self-signed root certificate, which is
> also in the trusted system store. Hence, it seems that the public key of
> the self-signed root certificate is not correctly used to verify the
> signature on the CA certificate. Moreover, I compile the same source but
> linking boringSSL crypto library instead of OpenSSL one, and everything
> works perfectly. Hence, my hyphotesis is that this is an OpenSSL issue
> found by Google and fixed in BoringSSL, but it has not been fixed in
> OpenSSL yet. So, I would like to know if I'm missing some steps in order to
> properly use x509_verify_cert() method, or my hyphotesis about BoringSSL
> fixing could be appropriate.
>
> Thank You,
>
> Nicholas
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> Sent with Postbox <http://www.getpostbox.com>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/da31e90b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/da31e90b/attachment.jpg>


More information about the openssl-users mailing list