Usage of STACK_OF(X509)

Mon, 19 May 2008 08:05:18 -0700 

Hi everybody,

I try to verify a small X509 chain: ca.pem (self signed) -> client.pem

On the commandline I do: cat ca.pem client.pem >> all.pem and
openssl verify -CAfile ca.pem all.pem (or similar, cannot remember the exact syntax, but that works like this)
In my little C program, I don't want to do a cat (or store everything in one file). I open ca.pem and client.pem. In order to verify client.pem, I think I have to create a STACK_OF(X509) to store both in a chain. The following code worked for all.pem and without STACK_OF(X509), but using different files (that means ca.pem AND client.pem) and STACK_OF(X509) does not work. I also tried to push "cert" and "ca" in the different order, but that didn't help. Does anybody see the small error I made? 

Any hints are appreciated!

Thanks a lot in advance
Carolin

int verify_valid_chain(X509 *cert,X509 *ca)
{

 X509_STORE *store;
 X509_LOOKUP *lookup;
 X509_STORE_CTX *verify_ctx;

 STACK_OF(X509) *st=sk_X509_new_null();
 sk_X509_push(st,cert);
 sk_X509_push(st,ca);

 if(!(store=X509_STORE_new()))
   int_error("Error creating X509_STORE_CTX object");

 if(X509_STORE_load_locations(store,SOME_CA,NULL)!=1)
   int_error("Error loading the CA file");

 if(X509_STORE_set_default_paths(store)!=1)
   int_error("Error loading the system-wide CAs");

 if(!(lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file())))
   int_error("Error creating X509_LOOKUP object");

 if(!(verify_ctx = X509_STORE_CTX_new()))
   int_error("Error creating X509_STORE_CTX object");

 if(X509_STORE_CTX_init(verify_ctx,store,cert,st)!=1)
   int_error("Error initializing verification context");

 if(X509_verify_cert(verify_ctx) !=1)
   {
     int err;
     int_error("Error verifying the certificate");
     err=X509_STORE_CTX_get_error(verify_ctx);
     printf("ERROR: %s\n",X509_verify_cert_error_string(err));
     sk_X509_free(st);
     return -1;
   }
 else
   {
     printf("Certificate verified correctly!\n");
     sk_X509_free(st);
     return 0;
   }

}
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to