Hi Frank, Now it's properly working! I was not aware I have to call that function to use OpenSSL algorithms. Thank You very much :) Cheers, Nicholas 2016-02-01 13:30 GMT+01:00 Frank Migge <fm at frank4dd.com>: > Hi Nicholas, > > Not calling OpenSSL_add_all_algorithms(); at the beginning could cause > it? > > Cheers, > Frank > > Nicholas Mainardi <mainardinicholas at gmail.com> > Monday, February 01, 2016 8:57 PM > I wrote this small program which takes as input X509 certificates, > base64-encoded, parse them and build a certificate chain, which is > eventually verified by x509_Verify_cert(). The last certificate is added > to the trusted store if it's self-signed, in order to avoid OpenSSL policy > about self.signed certificates, as it's recommended in this post > <https://zakird.com/2013/10/13/certificate-parsing-with-openssl/>. The > code is at this pastebin link <http://pastebin.com/2N2DSxbe>. > > However, when I run this with a correct certificate chain (Facebook one, > already tested with other libraries), I got error 7, certificate signature > validation, at depth 1. The certificate chain is composed by server > certificate, CA certificate and a self-signed root certificate, which is > also in the trusted system store. Hence, it seems that the public key of > the self-signed root certificate is not correctly used to verify the > signature on the CA certificate. Moreover, I compile the same source but > linking boringSSL crypto library instead of OpenSSL one, and everything > works perfectly. Hence, my hyphotesis is that this is an OpenSSL issue > found by Google and fixed in BoringSSL, but it has not been fixed in > OpenSSL yet. So, I would like to know if I'm missing some steps in order to > properly use x509_verify_cert() method, or my hyphotesis about BoringSSL > fixing could be appropriate. > > Thank You, > > Nicholas > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > -- > Sent with Postbox <http://www.getpostbox.com> > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/da31e90b/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: compose-unknown-contact.jpg Type: image/jpeg Size: 770 bytes Desc: not available URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/da31e90b/attachment.jpg>
