Hi Brian,
We (ValiCert) have a toolkit that does cert validation
with a bunch of different protocols - CRL, OCSP and CRT. The
toolkit is available for free (although not in source code
format). If you are interested, please let me know/send mail
to [EMAIL PROTECTED] (actually, the [EMAIL PROTECTED]
route would be better, since I am going to be out of town).
Regards,
Ambarish
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. [EMAIL PROTECTED]
1215 Terra Bella Ave. http://www.valicert.com
Mountain View, CA 94043-1833
> -----Original Message-----
> From: Brian Wotring [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, December 16, 1999 10:09 AM
> To: [EMAIL PROTECTED]
> Subject: cert verification
>
>
>
> I'm developing a client that talks to a Netscape server using a Thawte
> cert. I have the Thawte root cert, and upon connecting to
> the server, I
> need to verify the cert. The s_client example seems much too
> involved.
> Here is what I have so far, any help would be appreciated.:
>
> ...
>
> int secure_socket = 0;
> int bytes_read = 0;
> int bytesSent = 0;
> int totalRead = 0;
>
> char *cert = NULL;
> char buffer[MAX_MESSAGE_LENGTH] = "\0";
> char thawte_cert_file = "thawte.pem";
>
> SSL_CTX* ctx = NULL;
> SSL_METHOD *meth = NULL ;
> SSL* ssl = NULL;
> X509* server_cert = NULL;
>
> /* initialize the receive buffer. */
> incoming[0] = '\0';
>
> SSLeay_add_ssl_algorithms();
> meth = SSLv2_client_method();
> ctx = SSL_CTX_new( meth );
>
> secure_socket = connect_to_host_on_port( remote_host,
> remote_port );
>
> /* don't continue if we can't connect to server. */
>
> if( secure_socket == 0 )
> {
> log_error( "cannot make SSL connection to remote
> machine: %s:%d,
> aborting.", remote_host, remote_port );
> return -1;
> }
>
> /* ----------------------------------------------- */
> /* Now we have TCP conncetion. Start SSL negotiation. */
>
> ssl = SSL_new( ctx );
> SSL_set_fd( ssl, secure_socket );
> SSL_connect( ssl );
>
> server_cert = SSL_get_peer_certificate( ssl );
> cert = X509_NAME_oneline( X509_get_subject_name(
> server_cert ),0,0 );
>
> DEBUG( "\t subject: %s\n", cert );
> Free( cert );
>
> cert = X509_NAME_oneline( X509_get_issuer_name (
> server_cert ),0,0 );
> DEBUG("\t issuer: %s\n", cert );
> Free( cert );
>
>
> /**********************************************/
> /* CERTIFICATE VERIFICATION. ??? ? ? ? ? ?? */
> /**********************************************/
>
>
> X509_free( server_cert );
>
> /* WRITE REQUEST GOES HERE. */
>
> /* READ RESPONSE GOES HERE. */
>
> /* Clean up. */
>
> SSL_shutdown( ssl );
> close_socket( secure_socket );
> SSL_free( ssl );
> SSL_CTX_free( ctx );
>
> /* END SSL STUFF */
> --
> | Brian Wotring ( [EMAIL PROTECTED] )
> | Fort Nocs, Inc.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
smime.vfs
