I try to understand the concept of CA store, and test with my own certificate chain without system-wide effect.
I have a ca_store directory under my local home directory with one root and one intermediate CA.
$ ls /home/my/ca_store
root_ca.crt intermediate_ca.crt
I also have a server certificate. The verification is successful using openssl command. I just want to do it using C code, and preferably the concept of CA store.
The following code does not verify server.crt correctly, but is it possible to make it work?
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_CTX* ctx = SSL_CTX_new(TLS_server_method());
SSL_CTX_load_verify_locations(ctx, NULL, "/home/my/ca_store");
BIO* bio = BIO_new_file("server.crt", "rb");
X509* cert = X509_new();
PEM_read_bio_X509(bio, &cert, NULL, NULL);
X509_STORE_CTX* store_ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(store_ctx, SSL_CTX_get_cert_store(ctx), cert, NULL);
int ret = X509_verify_cert(store_ctx);
if (ret != 1)
{
int error = X509_STORE_CTX_get_error(store_ctx);
const char *error_str = X509_verify_cert_error_string(error);
printf("Certificate verification failed. Error code: %d, Error message: %s\n", error, error_str);
ERR_print_errors_fp(stdout);
}
else
{
printf("Certificate verification successful\n");
}
Below is the output.
Certificate verification failed. Error code: 20, Error message: unable to get local issuer certificate
Your file names are wrong. Per OpenSSL's documentation for
SSL_CTX_load_verify_locations()(bolding mine):It'd be easier to combine the files into one and use the
CAfileargument:then