[openssl-users] verify certificate chain (in memory)
Lei Sun
ls00722 at yahoo.com
Sun Mar 6 04:47:14 UTC 2016
Hi Dr. Stephen:
Thanks for the comment, yes giving "untrusted" for intermediate file did solved the problem.
openssl verify -CAfile root.crt -untrusted inter.crt server.crt
OK
I do have OpenSSL_add_all_algorithms() in my code, i stripped it out and only posted the core part of the code.
Thanks
chris
----- Original Message -----
From: Dr. Stephen Henson <steve at openssl.org>
To: Lei Sun <ls00722 at yahoo.com>; openssl-users at openssl.org
Sent: Saturday, March 5, 2016 6:55 PM
Subject: Re: [openssl-users] verify certificate chain (in memory)
On Sat, Mar 05, 2016, Lei Sun wrote:
> Hi:
> In my project I need to verify certificate chain sent from server. The chain has root->inter mediate -> server, 3 level chain. The server certificate files can be verified by "openssl verify" command:
>
> openssl verify -CAfile root.crt server.crt
> OK.
>
> But I had to combine the root cert and intermediate cert into single file, to verify the whole chain via command line.
>
You should pass the intermediate certificate in a separate file usine the
-untrusted option.
> I wrote a test program to verify it with C program:
> Note that I have converted the PEM cert file into DER binary, to minic exactly what server sent me.
>
>
> The core part of the code in bellow:
>
> int main(void)
> {
> FILE *fp = NULL;
> size_t r_size, i_size, s_size;
> unsigned char *r, *i, *s;
> X509 *root, *inter, *server;
> X509_STORE *store;
>
> X509_STORE_CTX *store_ctx;
> int ret;
>
>
>
> if ((r = malloc(1024)) == NULL ||
> (i = malloc(1204)) == NULL ||
> (s = malloc(1024)) == NULL)
> return -1;
>
> /* read certs into buffer */
> r_size = read_cert("root.bin", r, 1024);
> i_size = read_cert("inter.bin", i, 1024);
> s_size = read_cert("server.bin", s, 1024);
>
> root = d2i_X509(NULL, &r, r_size);
> if (root == NULL)
> fprintf(stderr, "failed to convert root cert\n");
> inter = d2i_X509(NULL, &i, i_size);
> if (inter == NULL)
> fprintf(stderr, "failed to convert inter cert\n");
> server = d2i_X509(NULL, &s, s_size);
> if (server == NULL)
> fprintf(stderr, "failed to convert server cert\n");
>
>
> store = X509_STORE_new();
> X509_STORE_add_cert(store, root);
> store_ctx = X509_STORE_CTX_new();
>
> X509_STORE_CTX_init(store_ctx, store, inter, NULL);
>
>
> ret = X509_verify_cert(store_ctx);
>
> fprintf(stdout, "ret=%d\n", ret);
> if (ret <= 0) {
> ret = X509_STORE_CTX_get_error(store_ctx);
> fprintf(stderr, "%d: %s\n", ret, X509_verify_cert_error_string(ret));
> }
>
>
> The above code gives me "certificate signature failure" error, I was only trying to verify intermediate cert with root cert. Since I don't know how to verify the whole chain in memory.
>
> Can anybody shed some lights on me? I googled around for a day with no luck.
>
Probably missing OpenSSL_add_all_algorithms().
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list