I am new to the openssl library. I am trying to write
a simple program to illustrate how to verify
certificates using the openssl library. I cannot seem
to get the program to work, although I have taken most
of the code from the verify.c file in the apps
directory. I know my certificates should validate
because they validate with the openssl verify command.
Can anyone give me some pointers on what I might have
missed? Any help would be greatly appreciated.
Michelle
Here is the program:
// simple_ssl.cpp
// Simple program to illustrate how to verify a
certificate
#include <iostream>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/pem.h>
static int cb(int ok, X509_STORE_CTX *ctx);
int main(int argc, char** argv)
{
X509_STORE *cert=NULL;
X509_STORE_CTX ctx;
X509_LOOKUP *lookup=NULL;
X509 *x=NULL;
BIO *in=NULL;
int i = 0;
int mainrc = -1;
// check for command line arguments
if (argc < 3)
{
cout << "usage: " << argv[0] << " cafile
certificate" << endl;
exit(-1);
}
try
{
// create new X509_STORE, which will be set to
NULLs/Os
cert=X509_STORE_new();
// set up call back function
X509_STORE_set_verify_cb_func(cert,cb);
// ???
ERR_load_crypto_strings();
// set the ca file
lookup=X509_STORE_add_lookup(cert,X509_LOOKUP_file());
i=X509_LOOKUP_load_file(lookup,argv[1],X509_FILETYPE_PEM);
if (!i)
{
cout << "Error loading CA certificate: " <<
argv[1] << endl;
throw "Error!";
}
// set the ca path
lookup=X509_STORE_add_lookup(cert,X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
// read the certificate in from disk
in=BIO_new(BIO_s_file());
if (in == NULL)
{
throw "Error creating new BIO file";
}
if (BIO_read_filename(in,argv[2]) <= 0)
{
perror(argv[2]);
throw "Error opening certificate file.";
}
x=PEM_read_bio_X509(in,NULL,NULL,NULL);
// create a X509_STORE_CTX (temporary structure
to hold results)
X509_STORE_CTX_init(&ctx,cert,x,NULL);
// verify the certificate
i=X509_verify_cert(&ctx);
// cleanup temporary structure
X509_STORE_CTX_cleanup(&ctx);
// check return code
if (i)
{
cout << "Certificate verified!" << endl;
}
else
{
cout << "Certificate did not verify: " <<
endl;
}
mainrc = 0;
}
catch (const char* err)
{
cout << err << endl << "Exiting..." << endl;
}
return mainrc;
}
static int cb(int ok, X509_STORE_CTX *ctx)
{
char buf[256];
if (!ok)
{
X509_NAME_oneline(
X509_get_subject_name(ctx->current_cert),buf,256);
printf("%s\n",buf);
printf("error %d at %d depth
lookup:%s\n",ctx->error,
ctx->error_depth,
X509_verify_cert_error_string(ctx->error));
if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1;
/* since we are just checking the certificates, it
is
* ok if they are self signed. But we should still
warn
* the user.
*/
if (ctx->error ==
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
/* Continue after extension errors too */
if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED)
ok=1;
if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
if (ctx->error ==
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
}
return(ok);
}
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
