[openssl-users] Certificate Chain Verify Error

Nicholas Mainardi mainardinicholas at gmail.com
Mon Feb 1 11:57:37 UTC 2016

I wrote this small program which takes as input X509 certificates,
base64-encoded, parse them and build a certificate chain, which is
eventually verified by x509_Verify_cert(). The last certificate is added to
the trusted store if it's self-signed, in order to avoid OpenSSL policy
about self.signed certificates, as it's recommended in this post
<https://zakird.com/2013/10/13/certificate-parsing-with-openssl/>. The code
is at this pastebin link <http://pastebin.com/2N2DSxbe>.

However, when I run this with a correct certificate chain (Facebook one,
already tested with other libraries), I got error 7, certificate signature
validation, at depth 1. The certificate chain is composed by server
certificate, CA certificate and a self-signed root certificate, which is
also in the trusted system store. Hence, it seems that the public key of
the self-signed root certificate is not correctly used to verify the
signature on the CA certificate. Moreover, I compile the same source but
linking boringSSL crypto library instead of OpenSSL one, and everything
works perfectly. Hence, my hyphotesis is that this is an OpenSSL issue
found by Google and fixed in BoringSSL, but it has not been fixed in
OpenSSL yet. So, I would like to know if I'm missing some steps in order to
properly use x509_verify_cert() method, or my hyphotesis about BoringSSL
fixing could be appropriate.

Thank You,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/a9416297/attachment-0001.html>

More information about the openssl-users mailing list