[openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Manuel Wagesreither ManWag at FastMail.FM
Thu Dec 21 11:42:52 UTC 2017

Dear all,

I'm struggling with programatically verifying a certificate which is solely stored in memory, i. e. not on the file system. The certificate and the CA seem to be fine though, because when I extract them from memory and store them as a file, and use the `openssl verify`, verification is successful. Hence I suspect my code is faulty.

Unfortunately, I'm under the impression that validating certificates which exist solely in memory is a niche application. I was yet not able to find a comprehensive tutorial or even a code sample on the internet. Hence, I hope you can help me.

Below I'm posting my sample code. (I have stripped the certificate and CA raw data, tough.) It can be compiled an run under a GNU/Linux system.
When this code is run, OpenSSL emits a "certificate signature failure" with an error depth of 0.

Thanks a lot!


#include <openssl/x509.h>
#include <stdexcept>
#include <iostream>

unsigned char g_authority[] = {	0x30, 0x82, 0x03, 0x00 /* and so on */ };
unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };

int main(int, char**)
	// This holds the return codes and gets reused for most function calls
	int rc = 0;

	// Make a new store
	X509_STORE *x509_store = X509_STORE_new();
	if (x509_store == NULL) {
		throw std::runtime_error("X509_STORE_new() failed");

	// Load and convert the authoritys certificate to a compatible form
	X509 *auth_cert = NULL;
		const unsigned char* auth_cert_ptr = g_authority;
		auth_cert = d2i_X509(NULL, &auth_cert_ptr, sizeof(g_authority));
		if (auth_cert == nullptr) {
			throw std::runtime_error("d2i_X509() failed for authoritys certificate");

	// Add the authoritys certificate to the store
	rc = X509_STORE_add_cert(x509_store, auth_cert);
	if (rc != 1) {
		throw std::runtime_error("X509_STORE_add_cert() failed");

	// Make a new store context
	X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
	if (x509_store_ctx == NULL) {
		throw std::runtime_error("X509_STORE_CTX_new() failed");

	// Load and convert the certificate to be verified to a compatible form
	X509 *myself = NULL;
		const unsigned char *my_cert_ptr = g_cert;
		myself = d2i_X509(NULL, &my_cert_ptr, sizeof(g_cert));
		if (myself == NULL) {
			throw std::runtime_error("d2i_X509() failed for own certificate");

	rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself, NULL);
	if (rc != 1) {
		throw std::runtime_error("X509_STORE_CTX_init() failed");

	rc = X509_verify_cert(x509_store_ctx);


	if (rc > 0) {
		std::cout << X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << std::endl;
		return 0;
	} else {
		std::cerr << X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << std::endl;
		std::cerr << "Error depth: " << X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
		return 1;

More information about the openssl-users mailing list