tags:

views:

202

answers:

1

Hi All, While verifying the certificate I am getting

EVP_F_EVP_PKEY_GET1_DH

My Aim - Verify the certificate signature. I am having 2 certificates : 1. a CA certificate 2. certificate issued by CA. I extracted the 'RSA Public Key (key)' Modulus From CA Certificate using,

pPublicKey = X509_get_pubkey(x509);
buf_len = (size_t) BN_num_bytes (bn);
key = (unsigned char *)malloc (buf_len);
n = BN_bn2bin (bn, (unsigned char *) key);
if (n != buf_len)
    LOG(ERROR," : key error\n");
if (key[0] & 0x80)
    LOG(DEBUG, "00\n");

Now, I have CA public key & CA key length and also having certificate issued by CA in buffer, buffer length & public key. To verify the signature, I have following code

int iRet1, iRet2, iRet3, iReason;

iRet1 = EVP_VerifyInit(&md_ctx, EVP_sha1());
iRet2 = EVP_VerifyUpdate(&md_ctx, buf, buflen);
iRet3 = EVP_VerifyFinal(&md_ctx, (const unsigned char *)CAkey, CAkeyLen, pubkey);
iReason = ERR_get_error();
if(ERR_GET_REASON(iReason) == EVP_F_EVP_PKEY_GET1_DH)
{
    LOG(ERROR, "EVP_F_EVP_PKEY_GET1_DH\n");
}
LOG(INFO,"EVP_VerifyInit returned %d : EVP_VerifyUpdate returned %d : EVP_VerifyFinal = %d \n", iRet1, iRet2, iRet3);

EVP_MD_CTX_cleanup(&md_ctx);
EVP_PKEY_free(pubkey);
if (iRet3 != 1)
{
    LOG(ERROR,"EVP_VerifyFinal() failed\n");
    ret = -1;
}
LOG(INFO,"signature is valid\n");

I am unable to figure out What might went wrong??? Please if anybody faced same issues? What EVP_F_EVP_PKEY_GET1_DH Error means?

Thanks in Advance - opensid

A: 

X509 certificates aren't signed using the same method as OpenSSL's envelope encryption functions, so EVP_* is the wrong tool for the job.

The right function is just X509_verify(x509, X509_get_pubkey(x509)) (for a self-signed certificate).

caf
sid