On Wed, Nov 30, 2005 at 09:52:57PM -0500, Sean Rhea wrote:
> Okay, but I need to do _some_ verification:
No, not really. Clearly OpenSSL has already verified that the client
has a private key that matches the public key in the certificate, or
else all the certificace checks are pointless. At this point, you can
(ideally) just use/authorize its public key alone and completely ignore
the contents of all the ceritificates, in a bilateral trust relationship
the certificates add no value.
> - I need to get the public key with which it was signed,
> presumably like
> this: X509_PUBKEY_get(err_cert->cert_info->key))
> And how do I get SSL_get_peer_certificate() to return non-NULL later
> on? There doesn't seem to be a corresponding set function.
Why should it return NULL? If the client supplied a certificate,
and your verification callback in the server said it was OK (just
say yes), once the session is established check the public key.
The Postfix TLS client, for example, delays peer verification until
after the SSL handshake completes, the verify callback just notes
whether the certificates are valid (in your case they always are,
because you don't care), but the CN and SubjectAltNames (in your
cases the public key) are checked later.
Likewise in the Postfix server, the client certificate validity (
again you don't care) is checked early, but the cert fingerprint
(ideally you would directly use the public key) is checked later.
Now as far as the public key, this is more subtle, because x.509 supports
a variety of algorithms, and the underlying type specific data is not
very easy to get at. So, using the certificate fingeprint as a proxy
for the public key is likely simplest in practice.
Does anyone else have robust code for pulling public keys out of
peer x.509 objects?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
