<html><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Hi Nicholas,<br>
<br>
Not calling <span>OpenSSL_add_all_algorithms(); at the beginning could
cause it?<br>
<br>
Cheers,<br>
Frank<br>
</span><br>
<blockquote style="border: 0px none;"
cite="mid:CAJi3d3vo+vFko+45+tuHwxnnotN0L9zpLL_2x+HKVf1_snBGhA@mail.gmail.com"
type="cite">
<div style="margin:30px 25px 10px 25px;" class="__pbConvHr"><div
style="display:table;width:100%;border-top:1px solid
#EDEEF0;padding-top:5px"> <div
style="display:table-cell;vertical-align:middle;padding-right:6px;"><img
photoaddress="mainardinicholas@gmail.com" photoname="Nicholas Mainardi"
src="cid:part1.03080108.07030307@frank4dd.com"
name="compose-unknown-contact.jpg" height="25px" width="25px"></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;width:100%">
<a moz-do-not-send="true" href="mailto:mainardinicholas@gmail.com"
style="color:#737F92
!important;padding-right:6px;font-weight:bold;text-decoration:none
!important;">Nicholas Mainardi</a></div> <div
style="display:table-cell;white-space:nowrap;vertical-align:middle;">
<font color="#9FA2A5"><span style="padding-left:6px">Monday, February
01, 2016 8:57 PM</span></font></div></div></div>
<div style="color:#888888;margin-left:24px;margin-right:24px;"
__pbrmquotes="true" class="__pbConvBody"><div dir="ltr"><span
style="color:rgb(34,36,38);font-family:Arial,'Helvetica
Neue',Helvetica,sans-serif;font-size:15px;line-height:19.5px">I wrote
this small program which takes as input X509 certificates,
base64-encoded, parse them and build a certificate chain, which is
eventually verified by </span><code style="margin:0px;padding:1px
5px;border:0px;font-size:13px;font-family:Consolas,Menlo,Monaco,'Lucida
Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans
Mono','Courier
New',monospace,sans-serif;white-space:pre-wrap;color:rgb(34,36,38);background-color:rgb(238,238,238)">x509_Verify_cert()</code><span
style="color:rgb(34,36,38);font-family:Arial,'Helvetica
Neue',Helvetica,sans-serif;font-size:15px;line-height:19.5px">. The last
certificate is added to the trusted store if it's self-signed, in order
to avoid OpenSSL policy about self.signed certificates, as it's
recommended in this </span><a moz-do-not-send="true"
style="margin:0px;padding:0px;border:0px;font-size:15px;text-decoration:none;color:rgb(0,89,153);font-family:Arial,'Helvetica
Neue',Helvetica,sans-serif;line-height:19.5px" rel="nofollow"
href="https://zakird.com/2013/10/13/certificate-parsing-with-openssl/">post</a><span
style="color:rgb(34,36,38);font-family:Arial,'Helvetica
Neue',Helvetica,sans-serif;font-size:15px;line-height:19.5px">. The code
is at this <a moz-do-not-send="true"
href="http://pastebin.com/2N2DSxbe">pastebin link</a>.</span><div><br></div><div><p
style="margin:0px 0px
1em;padding:0px;border:0px;font-size:15px;clear:both;color:rgb(34,36,38);font-family:Arial,'Helvetica
Neue',Helvetica,sans-serif;line-height:19.5px">However, when I run this
with a correct certificate chain (Facebook one, already tested with
other libraries), I got error 7, certificate signature validation, at
depth 1. The certificate chain is composed by server certificate, CA
certificate and a self-signed root certificate, which is also in the
trusted system store. Hence, it seems that the public key of the
self-signed root certificate is not correctly used to verify the
signature on the CA certificate. Moreover, I compile the same source but
linking boringSSL crypto library instead of OpenSSL one, and everything
works perfectly. Hence, my hyphotesis is that this is an OpenSSL issue
found by Google and fixed in BoringSSL, but it has not been fixed in
OpenSSL yet. So, I would like to know if I'm missing some steps in order
to properly use <code style="margin:0px;padding:1px
5px;border:0px;font-size:13px;font-family:Consolas,Menlo,Monaco,'Lucida
Console','Liberation Mono','DejaVu Sans Mono','Bitstream Vera Sans
Mono','Courier
New',monospace,sans-serif;white-space:pre-wrap;background-color:rgb(238,238,238)">x509_verify_cert()</code> method,
or my hyphotesis about BoringSSL fixing could be appropriate.</p><p
style="margin:0px 0px
1em;padding:0px;border:0px;font-size:15px;clear:both;color:rgb(34,36,38);font-family:Arial,'Helvetica
Neue',Helvetica,sans-serif;line-height:19.5px">Thank You,</p><p
style="margin:0px 0px
1em;padding:0px;border:0px;font-size:15px;clear:both;color:rgb(34,36,38);font-family:Arial,'Helvetica
Neue',Helvetica,sans-serif;line-height:19.5px">Nicholas</p></div></div>
<div>_______________________________________________<br>openssl-users
mailing list<br>To unsubscribe:
<a class="moz-txt-link-freetext" href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br></div></div>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<div>Sent with <a href="http://www.getpostbox.com"><span style="color:
rgb(51, 102, 153);">Postbox</span></a></div></div>
</body></html>