I'm using the PEM_write_X509(), avoiding the BIO, is there any difference? Anyway, this function does not give errors.
Calling the ERR_error_string() on the failed verify, the error returned is: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib Searching on Google for this error it is not so helpful, it says only that something on the certificate or on the public key is wrong. Probably the i2d/d2i functions add something undesired on mine X509 structure. Thanks again for your help. Best Regards Andrea Saracino 2011/7/28 Erwin Himawan <ehima...@gmail.com> > By the way sorry for the font size, it does not mean anything, it just > mixed up during cut and paste. > > The function to dump x509 into a certificate is is PEM_write_bio_X509() and > the function to dump a x509 der file is bio_write(). Here is the doc on > bio_write http://www.manpagez.com/man/3/BIO_write/osx-10.3.php > > erwin > > On Wed, Jul 27, 2011 at 8:20 PM, Erwin Himawan <ehima...@gmail.com> wrote: > >> ** >> I would not use the X509_print_fp(), since it does not give you the PEM >> or DER file. >> Use intead PEM_write_bio or write_bio() for PEM and DER respectively. >> Also check for error for the status of these two bio write function. >> >> hopefully it helps >> >> *From:* Andrea Saracino <saracino.and...@gmail.com> >> *Sent:* Wednesday, July 27, 2011 6:05 PM >> *To:* openssl-users@openssl.org >> *Subject:* Re: X509 verify >> >> Hi Erwin, thanks for your fast answer. >> I dumped both the certificates in 2 PEM files, then I used the >> X509_print_fp() to obtain the readable version of both of them. The two >> resulting files are identical. Perhaps there is something wrong in the >> invocation of the i2d/d2i functions. I'm posting an extract of the code: >> >> ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// >> struct T_G_4{ >> >> unsigned char nonce[NONCE_SIZE]; >> int cert_size; >> unsigned char certificate[MAX_MSG_SIZE-NONCE_SIZE-sizeof(int)]; >> } >> >> /*...*/ >> T_G_4 * TG4=new T_G_4; >> /*...*/ >> peer_certificate=/* initialization function */ //this is a private member >> of a class and the two functions are members of the same class >> EVP_PKEY * pubkey=EVP_PKEY_new(); >> EVP_PKEY_set1_RSA(pubkey, rsa_ca_pub_key); >> >> X509_verify(peer_certificate,pubkey); //this verification returns 1 >> >> unsigned char * serialized certificate=NULL; //following the example of >> the openssl d2i_X509 page, NULL pointer avoids the management of the >> increasing pointer >> TG4->cert_size=i2d(peer_certificate,&serialized_certificate); >> //serialization >> memcpy(TG4->certificate,serialized_certificate,TG4->cert_size); >> //initialize the remaining fields and return TG4 >> //passing the structure to another function >> //other function: >> /*...*/ >> unsigned char * serialized_certificate=new unsigned char [TG4->cert_size]; >> memcpy(serialized_certificate,TG4->certificate,TG4->cert_size); >> peer_certificate = d2i_X509(NULL,(const unsigned char >> **)&serialized_certificate,TG4->cert_size); //deserialization >> X509_verify(peer_certificate,pubkey); //now it returns 0... :( >> >> /*...*/ >> >> Is there something wrong in this code? >> Thanks in advance. >> >> Best Regards >> >> Andrea Saracino >> >> 2011/7/27 Erwin Himawan <ehima...@gmail.com> >> >>> The way I would verify this is by writting the original X509 object into >>> PEM file and dumping the X509 object resulted from d2i_x509() into another >>> PEM file and compares both files using the openssl ; either using asnparse >>> or x509 command. >>> >>> >>> On Wed, Jul 27, 2011 at 9:46 AM, Andrea Saracino < >>> saracino.and...@gmail.com> wrote: >>> >>>> Hello everyone, >>>> I've found some issues using the function X509_verify() on a simple X509 >>>> certificate. After the creation, if I call: >>>> >>>> X509_verify(certificate,ca_key); >>>> >>>> the function returns 1, but if I call the i2d_X509() function on the >>>> certificate and then the d2i_X509() on the obtained byte string, the >>>> X509_verify() on the resultant certificate returns 0. >>>> >>>> I printed the certificate, in a readable format, before and after the >>>> i2d() and d2i() execution and the result is exactly the same. The various >>>> fields (issuer, subject...) have the correct values. Any ideas? >>>> >>>> Best Regards >>>> >>>> Andrea Saracino >>>> >>>> >>>> >>>> >>> >> >
