Hi,
I am trying to verify whether a ca signed certificate is revoked.
Openssl verify option requires following parameters:
- cert : A ca signed certificate to be verified.
- cafile: FilePath to ca certificate used to sign the certificate (cert).
*How I can find URI for this ca certificate?*
- crlfile: Can be obtained from CRL Distribution Points field in
certificate (cert).
*How I can find URI for ca certificate?*
I am trying to do the verification in my code using following example. I
tested below code by being the self CA. But if the certificates are signed
by third party CA then how to get the ca certificate used for signing.
I want my code to determine the location to pick required ca cert.
Please help:
Code example:
void handle_error(const char *file, int lineno, const char *msg)
{
fprintf(stderr, "** %s:%i %s\n", file, lineno, msg);
ERR_print_errors_fp(stderr);
exit(-1);
}
#define int_error(msg) handle_error(__FILE__, __LINE_ _, msg)
/* these are defintions to make the example simpler */
#define CA_FILE "CAfile.pem"
#define CA_DIR "/etc/ssl"
#define CRL_FILE "CRLfile.pem"
#define CLIENT_CERT "cert.pem"
int verify_callback(int ok, X509_STORE_CTX *stor)
{
if(!ok)
fprintf(stderr, "Error: %s\n",
X509_verify_cert_error_string(stor->error));
return ok;
}
int main(int argc, char *argv[])
{
X509 *cert;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
FILE *fp;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
seed_prng();
/* first read the client certificate */
if (!(fp = fopen(CLIENT_CERT, "r")))
int_error("Error reading client certificate file");
if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL)))
int_error("Error reading client certificate in file");
fclose(fp);
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new()))
int_error("Error creating X509_STORE_CTX object");
X509_STORE_set_verify_cb_func(store, verify_callback);
/* load the CA certificates and CRLs */
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
fprintf(stderr, "Error creating X509_LOOKUP object\n");
if (X509_LOOKUP_load_file(lookup, CA_FILE, X509_FILETYPE_PEM) != 1)
fprintf(stderr, "Error reading the CA file\n");
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())))
int_error("Error creating X509_LOOKUP object");
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1)
int_error("Error reading the CRL file");
/* enabling verification against CRLs is not possible
in prior versions */
#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
/* set the flags of the store so that CRLs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
#endif
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new()))
int_error("Error creating X509_STORE_CTX object");
/* X509_STORE_CTX_init did not return an error condition
in prior versions */
#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1)
int_error("Error initializing verification context");
#else
X509_STORE_CTX_init(verify_ctx, store, cert, NULL);
#endif
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1)
int_error("Error verifying the certificate");
else
printf("Certificate verified correctly!\n");
return 0;
}
Thanks & Regards,
Akash Deo
