0

I created already my certificates with these instructions: Programmatically Create X509 Certificate using OpenSSL

Now I'm trying to check if the generation product is right. For that, I first create a certificate with OpenSSL command line, and afterwards create (on basis of the given link above) programmatically my certificate with the exact same values (start date, end date, serial number, etc.).

Here is the openssl command for creating a self-signed certificate:

openssl req -x509 -days 365 -new -out test.pem -key privateKey.pem -config ./caconfig.cnf

Here is an example of my code:

X509* tempX509=X509_new();
X509_set_version(tempX509,0); /* set to X509 version 1 */
ASN1_INTEGER_set(X509_get_serialNumber(tempX509), serialTmp);
//X509_gmtime_adj(X509_get_notBefore(tempX509), 0);
//X509_gmtime_adj(X509_get_notAfter(tempX509), 60*60*24*daysTmp);
ASN1_TIME_set_string( X509_get_notBefore(tempX509), "YYYYMMDDHHMMSSZ");
ASN1_TIME_set_string( X509_get_notAfter(tempX509), "YYYYMMDDHHMMSSZ");
X509_set_pubkey(tempX509,pubkeyTemp);

X509_NAME *x509_name = NULL;
x509_name = X509_get_subject_name(tempX509);    

if( strlen(countryTmp) )
  if(!(X509_NAME_add_entry_by_txt(x509_name, "C",  MBSTRING_ASC, (TDF_UCHAR*)countryTmp, -1, -1, 0)))
    return K_TDF_STATUS_CERT_ADD_ERROR;

if( strlen(stateTmp) )
  if(!(X509_NAME_add_entry_by_txt(x509_name, "ST",  MBSTRING_ASC, (TDF_UCHAR*)stateTmp, -1, -1, 0)))
    return K_TDF_STATUS_CERT_ADD_ERROR;

if( strlen(localityTmp) )
  if(!(X509_NAME_add_entry_by_txt(x509_name, "L",  MBSTRING_ASC, (TDF_UCHAR*)localityTmp, -1, -1, 0)))
    return K_TDF_STATUS_CERT_ADD_ERROR;

if( strlen(organizationTmp) )
  if(!(X509_NAME_add_entry_by_txt(x509_name, "O",  MBSTRING_ASC, (TDF_UCHAR*)organizationTmp, -1, -1, 0)))
    return K_TDF_STATUS_CERT_ADD_ERROR;

if( strlen(organizationUnitTmp) )
  if(!(X509_NAME_add_entry_by_txt(x509_name, "OU",  MBSTRING_ASC, (TDF_UCHAR*)organizationUnitTmp, -1, -1, 0)))
    return K_TDF_STATUS_CERT_ADD_ERROR;

if( strlen(commonNameTmp) )
  if(!(X509_NAME_add_entry_by_txt(x509_name, "CN", MBSTRING_ASC, (TDF_UCHAR*)commonNameTmp,   -1, -1, 0)))
    return K_TDF_STATUS_CERT_ADD_ERROR;

if( strlen(emailAddressTmp) )
  if(!(X509_NAME_add_entry_by_txt(x509_name, "emailAddress", MBSTRING_ASC, (TDF_UCHAR*)emailAddressTmp,   -1, -1, 0)))
    return K_TDF_STATUS_CERT_ADD_ERROR; 

if(!(X509_set_issuer_name(tempX509, x509_name)))
  return K_TDF_STATUS_CERT_GEN_ERROR;

if(!X509_sign( tempX509, privkeyTemp, getDigestType(engine)))
  return K_TDF_STATUS_CERT_GEN_ERROR;

Checking the contents with command line, I noticed that everything is correct except the signature is different. I'm quite sure I used the same key!

By which data is the signature influenced? Maybe I'm missing something. Is there another way, to verify if my generation code is correct?

Community
  • 1
  • 1
tobuh
  • 1
  • 2
  • Can you provide the command which you used for generating X509 Certificate using OpenSSL command line? – Jay Apr 12 '16 at 18:10
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. Also [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Apr 12 '16 at 23:25
  • @Jay I used this command: openssl req -x509 -days 365 -new -out test.pem -key privateKey.pem -config ./caconfig.cnf I also tried to establish a demo CA signing certificates with the same keys ... also no success. – tobuh Apr 13 '16 at 08:53
  • @jww Sorry for inconvenience. I thought it is about verifying my code, so I'm talking about my software algorithm, this specific programming problem of verifying my code, and a common used tool (openssl). The given link is the bases for this question. – tobuh Apr 13 '16 at 08:58

0 Answers0