[openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Dec 23 18:12:23 UTC 2017
> On Dec 21, 2017, at 6:42 AM, Manuel Wagesreither <ManWag at FastMail.FM> wrote:
>
>
> #include <openssl/x509.h>
> #include <stdexcept>
> #include <iostream>
>
> unsigned char g_authority[] = { 0x30, 0x82, 0x03, 0x00 /* and so on */ };
> unsigned char g_cert[] = { 0x30, 0x82, 0x02, 0x9b /* and so on */ };
Eliding the certificate data makes it very difficult to provide
meaningful feedback.
>
> int main(int, char**)
> {
> // This holds the return codes and gets reused for most function calls
> int rc = 0;
>
> // Make a new store
> X509_STORE *x509_store = X509_STORE_new();
> if (x509_store == NULL) {
> throw std::runtime_error("X509_STORE_new() failed");
> }
>
> // Load and convert the authoritys certificate to a compatible form
> X509 *auth_cert = NULL;
> {
> const unsigned char* auth_cert_ptr = g_authority;
> auth_cert = d2i_X509(NULL, &auth_cert_ptr, sizeof(g_authority));
> if (auth_cert == nullptr) {
> throw std::runtime_error("d2i_X509() failed for authoritys certificate");
> }
> }
>
> // Add the authoritys certificate to the store
> rc = X509_STORE_add_cert(x509_store, auth_cert);
> if (rc != 1) {
> throw std::runtime_error("X509_STORE_add_cert() failed");
> }
>
> // Make a new store context
> X509_STORE_CTX *x509_store_ctx = X509_STORE_CTX_new();
> if (x509_store_ctx == NULL) {
> throw std::runtime_error("X509_STORE_CTX_new() failed");
> }
>
> // Load and convert the certificate to be verified to a compatible form
> X509 *myself = NULL;
> {
> const unsigned char *my_cert_ptr = g_cert;
> myself = d2i_X509(NULL, &my_cert_ptr, sizeof(g_cert));
> if (myself == NULL) {
> throw std::runtime_error("d2i_X509() failed for own certificate");
> }
> }
>
> rc = X509_STORE_CTX_init(x509_store_ctx, x509_store, myself, NULL);
> if (rc != 1) {
> throw std::runtime_error("X509_STORE_CTX_init() failed");
> }
>
> rc = X509_verify_cert(x509_store_ctx);
>
> X509_STORE_free(x509_store);
> X509_STORE_CTX_free(x509_store_ctx);
You're freeing x509_store_ctx too early, it is used below for error
reporting.
>
> if (rc > 0) {
> std::cout << X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << std::endl;
> return 0;
> } else {
> std::cerr << X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509_store_ctx)) << std::endl;
> std::cerr << "Error depth: " << X509_STORE_CTX_get_error_depth(x509_store_ctx) << std::endl;
> return 1;
> }
> }
Please re-post the source code with the *complete* certificate
data.
--
Viktor.
More information about the openssl-users
mailing list