Thanks Steve, When I saw the error code, it says 7 : certificate signature failure
But how come the *same* certificate is verified without any errors when i run the command line version?? Is there something extra which I need to do in my program before verifying ?? -Sid On Mon, 2005-01-24 at 12:59, Dr. Stephen Henson wrote: > On Mon, Jan 24, 2005, Siddharth Ramesh wrote: > > > Hi all, > > I wrote a program to create a self signed CA certificate and using it, > > created a client certificate. When i used the command > > > > openssl verify -CAfile ca_cert.pem client_cert.pem > > > > to verify the client certificate, it verifies properly giving the output > > 'client_cert.pem : OK' > > > > But when I wrote a program after referring a book, to do the > > verification using the function X509_verify_cert() , verification is > > failing. > > > > The function which does verification is the following : > > > > int verify_cert(X509 *client_cert, char *ca_file) > > { > > X509 *cert ; > > X509_STORE *store ; > > X509_LOOKUP *lookup ; > > X509_STORE_CTX *verify_ctx ; > > > > // Create the cert store > > if (!(store = X509_STORE_new ())) > > my_error ("Error creating X509_STORE_CTX object"); > > X509_STORE_set_verify_cb_func (store, NULL); > > > > > > // Load the CA file > > if(!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))) > > my_error ("Error creating X509_LOOKUP object\n" ); > > > > if(X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM) != 1) > > my_error("Error reading the CA file\n") ; > > > > // create a verification context > > if (!(verify_ctx = X509_STORE_CTX_new ())) > > my_error ("Error creating X509_STORE_CTX object"); > > > > // X509_STORE_CTX_init did not return an error condition > > in prior versions */ > > #if (OPENSSL_VERSION_NUMBER > 0x00907000L) > > if (X509_STORE_CTX_init (verify_ctx, store, client_cert, NULL) != 1) > > my_error ("Error initializing verification context"); > > #else > > X509_STORE_CTX_init (verify_ctx, store, client_cert, NULL); > > #endif > > > > /* verify the certificate */ > > if (X509_verify_cert (verify_ctx) != 1) > > return 0 ; // Failure > > else > > return 1 ; // Success > > > > } > > > > > > Is there anything which I am missing ? I would be really grateful if > > someone guides me. > > > > Well you are missing something to tell you *why* the verfication failed. My > guess is that its an FAQ: you are missing OpenSSL_add_all_algorithms(). > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]