[openssl-users] Certificate Chain Verify Error

Frank Migge fm at frank4dd.com
Mon Feb 1 12:30:47 UTC 2016

Hi Nicholas,

Not calling OpenSSL_add_all_algorithms();  at the beginning could cause it?


> Nicholas Mainardi <mailto:mainardinicholas at gmail.com>
> Monday, February 01, 2016 8:57 PM
> I wrote this small program which takes as input X509 certificates, 
> base64-encoded, parse them and build a certificate chain, which is 
> eventually verified by |x509_Verify_cert()|. The last certificate is 
> added to the trusted store if it's self-signed, in order to avoid 
> OpenSSL policy about self.signed certificates, as it's recommended in 
> this post 
> <https://zakird.com/2013/10/13/certificate-parsing-with-openssl/>. The 
> code is at this pastebin link <http://pastebin.com/2N2DSxbe>.
> However, when I run this with a correct certificate chain (Facebook 
> one, already tested with other libraries), I got error 7, certificate 
> signature validation, at depth 1. The certificate chain is composed by 
> server certificate, CA certificate and a self-signed root certificate, 
> which is also in the trusted system store. Hence, it seems that the 
> public key of the self-signed root certificate is not correctly used 
> to verify the signature on the CA certificate. Moreover, I compile the 
> same source but linking boringSSL crypto library instead of OpenSSL 
> one, and everything works perfectly. Hence, my hyphotesis is that this 
> is an OpenSSL issue found by Google and fixed in BoringSSL, but it has 
> not been fixed in OpenSSL yet. So, I would like to know if I'm missing 
> some steps in order to properly use |x509_verify_cert()| method, or my 
> hyphotesis about BoringSSL fixing could be appropriate.
> Thank You,
> Nicholas
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Sent with Postbox <http://www.getpostbox.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/83a8a715/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compose-unknown-contact.jpg
Type: image/jpeg
Size: 770 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/83a8a715/attachment.jpg>

More information about the openssl-users mailing list