Problems with X509_verify_cert and 0.9.8

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Problems with X509_verify_cert and 0.9.8

Jeff Davey
I'm having a very peculiar problem.

I'm doing the following to verify that this cert is signed by our root
certificate, and that it's a valid cert:


X509_STORE *store = X509_STORE_new();

if (store)
{
    X509_STORE_set_verify_cb_func(store, _glicVerificationCallback);

    // load the CACert
    X509 *caCert = X509_new();
    if (caCert)
    {
        unsigned char *caDERPtr = &subCACert[0]; // subCACert is our public root certificate
        if ( d2i_X509(&caCert, &caDERPtr, CACERTLENGTH) )
        {
            if ( X509_STORE_add_cert(store, caCert) )
            {
                X509_STORE_CTX *verifyCTX = X509_STORE_CTX_new();
                if (verifyCTX && X509_STORE_CTX_init(verifyCTX, store, licenseCert, NULL))  // licenseCert is passed in
                {
                    if (X509_verify_cert(verifyCTX))
                        printf("yay:)\n");
                    else
                        printf("nay:(\n");
                    X509_STORE_CTX_free(verifyCTX);
                }
            }
        }
        X509_free(caCert);
    }

    X509_STORE_free(store);
}


Now what's strange, is this works (I get a yay:)) on two of the three platforms we support, using the same cert, of course.

Specifically, it works on x86-64 and Netware.
Specficially, it DOES NOT work on x86. (I get a nay:()

The error it returns is: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT

This also works fine on ALL THREE platforms (x86-64, Netware, x86) using 0.9.7g.

Any ideas?


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]