Thanks Steve,
When I saw the error code, it says
7 : certificate signature failure
But how come the *same* certificate is verified without any errors when
i run the command line version?? Is there something extra which I need
to do in my program before verifying ??
-Sid
On Mon, 2005-01-24 at 12:59, Dr. Stephen Henson wrote:
> On Mon, Jan 24, 2005, Siddharth Ramesh wrote:
>
> > Hi all,
> > I wrote a program to create a self signed CA certificate and using it,
> > created a client certificate. When i used the command
> >
> > openssl verify -CAfile ca_cert.pem client_cert.pem
> >
> > to verify the client certificate, it verifies properly giving the output
> > 'client_cert.pem : OK'
> >
> > But when I wrote a program after referring a book, to do the
> > verification using the function X509_verify_cert() , verification is
> > failing.
> >
> > The function which does verification is the following :
> >
> > int verify_cert(X509 *client_cert, char *ca_file)
> > {
> > X509 *cert ;
> > X509_STORE *store ;
> > X509_LOOKUP *lookup ;
> > X509_STORE_CTX *verify_ctx ;
> >
> > // Create the cert store
> > if (!(store = X509_STORE_new ()))
> > my_error ("Error creating X509_STORE_CTX object");
> > X509_STORE_set_verify_cb_func (store, NULL);
> >
> >
> > // Load the CA file
> > if(!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
> > my_error ("Error creating X509_LOOKUP object\n" );
> >
> > if(X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM) != 1)
> > my_error("Error reading the CA file\n") ;
> >
> > // create a verification context
> > if (!(verify_ctx = X509_STORE_CTX_new ()))
> > my_error ("Error creating X509_STORE_CTX object");
> >
> > // X509_STORE_CTX_init did not return an error condition
> > in prior versions */
> > #if (OPENSSL_VERSION_NUMBER > 0x00907000L)
> > if (X509_STORE_CTX_init (verify_ctx, store, client_cert, NULL) != 1)
> > my_error ("Error initializing verification context");
> > #else
> > X509_STORE_CTX_init (verify_ctx, store, client_cert, NULL);
> > #endif
> >
> > /* verify the certificate */
> > if (X509_verify_cert (verify_ctx) != 1)
> > return 0 ; // Failure
> > else
> > return 1 ; // Success
> >
> > }
> >
> >
> > Is there anything which I am missing ? I would be really grateful if
> > someone guides me.
> >
>
> Well you are missing something to tell you *why* the verfication failed. My
> guess is that its an FAQ: you are missing OpenSSL_add_all_algorithms().
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
