Hi everybody,
I try to verify a small X509 chain: ca.pem (self signed) -> client.pem
On the commandline I do: cat ca.pem client.pem >> all.pem and
openssl verify -CAfile ca.pem all.pem (or similar, cannot remember the
exact syntax, but that works like this)
In my little C program, I don't want to do a cat (or store everything in
one file). I open ca.pem and client.pem. In order to verify client.pem,
I think I have to create a STACK_OF(X509) to store both in a chain. The
following code worked for all.pem and without STACK_OF(X509), but using
different files (that means ca.pem AND client.pem) and STACK_OF(X509)
does not work. I also tried to push "cert" and "ca" in the different
order, but that didn't help. Does anybody see the small error I made?
Any hints are appreciated!
Thanks a lot in advance
Carolin
int verify_valid_chain(X509 *cert,X509 *ca)
{
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
STACK_OF(X509) *st=sk_X509_new_null();
sk_X509_push(st,cert);
sk_X509_push(st,ca);
if(!(store=X509_STORE_new()))
int_error("Error creating X509_STORE_CTX object");
if(X509_STORE_load_locations(store,SOME_CA,NULL)!=1)
int_error("Error loading the CA file");
if(X509_STORE_set_default_paths(store)!=1)
int_error("Error loading the system-wide CAs");
if(!(lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file())))
int_error("Error creating X509_LOOKUP object");
if(!(verify_ctx = X509_STORE_CTX_new()))
int_error("Error creating X509_STORE_CTX object");
if(X509_STORE_CTX_init(verify_ctx,store,cert,st)!=1)
int_error("Error initializing verification context");
if(X509_verify_cert(verify_ctx) !=1)
{
int err;
int_error("Error verifying the certificate");
err=X509_STORE_CTX_get_error(verify_ctx);
printf("ERROR: %s\n",X509_verify_cert_error_string(err));
sk_X509_free(st);
return -1;
}
else
{
printf("Certificate verified correctly!\n");
sk_X509_free(st);
return 0;
}
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]