Till Elsner wrote:
> I tried to track down the problem, but it still seems that , when it
> comes to certificate verification, on the OpenWRT fails what works on
> a standard linux desktop PC. I wrote a short program that validates
> certificates, that I'll append to this mail. If someone has some
> MIPSEL platform available please verify my results since I really need
> to know if this errors is caused by a programming mistake on my side,
> by some bug in OpenSSL or simply by a lack of understanding. I used
> the OpenWRT's SDK for cross compilation (the whiterussian one, because
> the Kamikaze version doesn't include OpenSSL). The problem still
> existing is that it seems to work on both platform, but on the MIPSEL
> it's not validating (valid) certificate, while it does on Linux.
Your example program is still missing the verify_callback(). The
verify_callback() is called for each certificate in the chain that is
checked. Once with "success" if no problem was encountered and if
problems with the validation are encountered it is called so that the
respective error can be treated (maybe just printed). Without the
verify_callback you will never find out why the verification fails.
Having this said, there is another threat being discussed about OpenWRT
that indicates that at least non-standard configurations are using in
the compilation of the toolkit (-no-err in the case mentioned to save
the memory for the error strings). I am working in an embedded
environment myself and we once had a problem when we disabled an
algorithm (to save memory) at build time that later on was needed for
certificate verification because some certificates were signed with it.
Best regards,
Lutz
>
> Thanks in advance
> Till
>
> --- BEGIN CERTTEST.C ---
>
> /*
> * verifies a certificate (PEM format) using a CA's certificate
> *
> * compile: gcc certtest.c -o certtest -lssl -lcrypto
> *
> * place the resulting executable into the same directory as the
> certificate
> * files:
> * - certificate: client.pem
> * - CA file: cacert.pem
> *
> */
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <errno.h>
> #include <openssl/ssl.h>
> #include <openssl/x509.h>
> #include <openssl/x509_vfy.h>
> #include <openssl/pem.h>
> #include <openssl/err.h>
>
> char *cert_file, *ca_file;
> FILE *cert_fp;
> X509 *x509;
> X509_STORE_CTX *x509_ctx;
> X509_STORE *x509_store;
> X509_LOOKUP *x509_lookup;
> X509_NAME *x509_name;
>
> int main() {
> cert_file = "client.pem";
> ca_file = "cacert.pem";
>
> SSL_library_init();
> ERR_load_crypto_strings();
>
> // open certificate file
> if (!(cert_fp = fopen(cert_file, "r"))) {
> printf("ERR: Error opening certificate file: %s. Exiting.\n",
> strerror(errno));
> exit(2);
> } else{
> printf("Certificate file opened.\n");
> }
> // read certificate
> if (!(x509 = PEM_read_X509(cert_fp, NULL, NULL, NULL))) {
> printf("ERR: Error reading certificate from file: %s\n",
> ERR_error_string(ERR_get_error(), NULL));
> exit(2);
> } else {
> printf("Certificate read.\n");
> }
> fclose(cert_fp);
>
> // create the cerificate storing object
> if (!(x509_store = X509_STORE_new())) {
> printf("ERR: Error creating X509_STORE object: %s.
> Exiting.\n", ERR_error_string(ERR_get_error(), NULL));
> exit(2);
> } else {
> printf("Certificate storing object created.\n");
> }
> // add CA attributes to X509_STORE object
> if (X509_STORE_load_locations(x509_store, ca_file, NULL) != 1) {
> printf("ERR: Error loading CA file: %s. Exiting.\n",
> ERR_error_string(ERR_get_error(), NULL));
> exit(2);
> } else {
> printf("CA certificate added to storing object.\n");
> }
> if (!(x509_lookup = X509_STORE_add_lookup(x509_store,
> X509_LOOKUP_file()))) {
> printf("ERR: Error creating X509 lookup object: %s.
> Exiting.\n", ERR_error_string(ERR_get_error(), NULL));
> exit(2);
> } else {
> printf("X509 lookup object created.\n");
> }
> // create and initialize X509 vertification context
> if (!(x509_ctx = X509_STORE_CTX_new())) {
> printf("ERR: Error creating X509 verification context, %s.
> Exiting.\n", ERR_error_string(ERR_get_error(), NULL));
> exit(2);
> } else {
> printf("X509 verification context object created.\n");
> }
> if (X509_STORE_CTX_init(x509_ctx, x509_store, x509, NULL) != 1) {
> printf("ERR: Error initializing X509 verification context: %s.
> Exiting\n.", ERR_error_string(ERR_get_error(), NULL));
> exit(2);
> } else {
> printf("X509 verification context object initialized.\n");
> }
>
> // verify certificate
> if (X509_verify_cert(x509_ctx) != 1) {
> printf("Error: Certificate invalid!\n");
> exit(1);
> } else {
> printf("Certificate checked and validated!\n");
> exit(0);
> }
> }
>
> --- END CERTTEST.C ---
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
