Re: Checking certificate chain
Plot Lost writes: [...] > For this particular project I'm required to check each step > individually, not the entire chain at once. That's what verifying the chain does (see the implementation of X509_verify_cert()). You could add a callback using X509_STORE_CTX_set_verify_cb(). That doesn't seem to have a separate manpage but reading the manpage for SSL_CTX_set_verify() should explain it. (SSL_CTX_set_verify() just sets the callback in X509_STORE_CTX.) > How can I get verify_cert to say that the server cert is ok according > to the inter cert, regardless of any other cert that may be needed to > complete the chain. (The code will then go on to check inter against > root, or against another inter etc as needed asuming each step is > completed ok) Presuming using X509_verify_cert() and a callback really isn't suitable, you can use X509_check_issued() to see if one certificate issued another and check the signature by getting the public key (X509_get_pubkey()) and verifying using X509_verify(). Or something like that; really it seems safer to me to use X509_verify_cert(). There are checks that have to be performed in context which X509_verify_cert() does (path constraints, policy constraints, etc.), and it seems easy to skip a few if you're not careful. (See section 6 of RFC 5280.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Checking certificate chain
Hi, Thus wrote Plot Lost (plot.l...@gmail.com): > > Stick them in an X509_STORE_CTX and call X509_verify_cert(). ?See > > apps/verify.c for an example. > I'm using verify_cert, and whilst that works to allow me to check that > inter_cert is ok according to root_cert (result = 1) I can't check > that server_cert is ok according to inter_cert (that gets result =0, > error 'unable to get issuer certificate') > For this particular project I'm required to check each step > individually, not the entire chain at once. > How can I get verify_cert to say that the server cert is ok according > to the inter cert, regardless of any other cert that may be needed to > complete the chain. (The code will then go on to check inter against > root, or against another inter etc as needed asuming each step is > completed ok) you could define a callback function for the verification by using X509_STORE_set_verify_cb_func(store, myCallback); myCallback has the following parameters int myCallback(int ok, X509_STORE_CTX *ctx) When you call X509_verify_cert(), OpenSSL will call your callback function after each verification step. Inside the callback function, you can call X509_STORE_CTX_get_current_cert(ctx) to get the certificate that's currently being verified, the ok parameter will give you OpenSSL's verification status. Maybe this helps, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Checking certificate chain
>> Hi, I'm trying to figure out how to check a certificate is valid >> according to a chain of certificates. >> >> There are 3 certs in all, and they are all held as X509 data in memory, e.g. >> >> X509 *server_cert; >> X509 *inter_cert; >> X509 *root_cert; >> >> How can I check that 'server_cert' is authenticated by 'inter_cert', >> and that in turn is authenticated by 'root_cert' ? > > Stick them in an X509_STORE_CTX and call X509_verify_cert(). See > apps/verify.c for an example. > I'm using verify_cert, and whilst that works to allow me to check that inter_cert is ok according to root_cert (result = 1) I can't check that server_cert is ok according to inter_cert (that gets result =0, error 'unable to get issuer certificate') For this particular project I'm required to check each step individually, not the entire chain at once. How can I get verify_cert to say that the server cert is ok according to the inter cert, regardless of any other cert that may be needed to complete the chain. (The code will then go on to check inter against root, or against another inter etc as needed asuming each step is completed ok) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Checking certificate chain
Plot Lost writes: > Hi, I'm trying to figure out how to check a certificate is valid > according to a chain of certificates. > > There are 3 certs in all, and they are all held as X509 data in memory, e.g. > > X509 *server_cert; > X509 *inter_cert; > X509 *root_cert; > > How can I check that 'server_cert' is authenticated by 'inter_cert', > and that in turn is authenticated by 'root_cert' ? Stick them in an X509_STORE_CTX and call X509_verify_cert(). See apps/verify.c for an example. [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Checking certificate chain
Hi, I'm trying to figure out how to check a certificate is valid according to a chain of certificates. There are 3 certs in all, and they are all held as X509 data in memory, e.g. X509 *server_cert; X509 *inter_cert; X509 *root_cert; How can I check that 'server_cert' is authenticated by 'inter_cert', and that in turn is authenticated by 'root_cert' ? Also, can this be extended to more than one inter_cert if needed? This is not running as a client/server, so no SSL or CTX structures allocated, just the X509 data. Thanks for any help on this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
