Yuriy Stul wrote:
>
> Hello all!
>
> For each certificate in chain I do next:
>
> i = X509_verify(x, X509_get_pubkey(x));
>
> For many sites (www.chase.com, www.ubs.com, ...) I have that first certificate
> in chain has unmatched signature (i == 0). Only last certificate (from RSA ....)
> has good signature. Is it possible or I do something wrong?
>
Each certificate is signed by its issuer. How you find the issuer can be
a complex process but usually the its the certificate whose subject name
matches the current certificates issuer name. So you need to get the
public key of the issuer certificate and use that.
The root certificate has the same issuer and subject names: this is why
your method works.
Verifying is a complex process and I don't recommend you do it manually:
there are other things to check like expiry dates and certificate
extensions.
There are functions to automatically handle certificate verification,
check out apps/verify.c for an example.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
