c - validating X.509 certificate on linux -


I have just started working with X.509 certificates. Can anyone tell me that the certificate on Linux How to go about validating? The use case is that my app downloaded a certificate in the last session and I have to check whether it is still valid before starting a new session (i.e., this expired or not canceled). I think a complete sample will not be possible here, but any indication will be useful.

EDIT: Further investigations tell another utility named Network Security Services (NSS). How does it compare OpenSSL in terms of applicability? Also, I'm looking for a program solution because I will not be able to launch command line utilities.

As mentioned by others, you can use openssl verify You can. According to this, it also checks the validity period.

Programmically, it can be hours of searching for some bad (or missing) documents, reading examples of code on the web, and maybe headache.

To properly validate a certificate, you must notify all the intermediate certificates. Normally you also inform the cancellation list (CRL), but it is not needed.

So, what you need to do in terms of code (OpenSSL):

  1. X509_STORE_New - create a certificate store;
  2. X50 9_STORE_CTX_new - create a store reference;
  3. X50 9_STORE_add_cert - Add CA (and all intermediate) certificates to your trusted store store list (note: there is no work to view / load the list);
  4. X50 9_STORE_add_crl - Add a recorted certificate to the CRL of your certificate store (note: as above);
  5. X50 9_STORE_CTX_init - Start your store reference, informing your certificate store;
  6. X509_STORE_CTX_set_purpose - define the purpose if you need it;
  7. X50 9_STORE_CTX_set_cert - tell the context that you are going to authenticate;
  8. X509_verify_cert - Finally, validate it;
  9. X50 9_STORE_CTX_c link - If you want to reuse context to validate another certificate, you can clear it and return (5) ;
  10. Last but not least, deluxe (1) and (2);

Alternatively, a quick verification can be done with X509_verify . However, keep in mind that it only compares the signature.

When I needed this, I found a day of searching, reading and testing. Then I thought that whatever I wanted was right in the OpenSSL source code. Therefore, if you need an example, go straight to openssl-xxx / apps / verify.c . Important: To understand the reason that MD5 has never been used, read.


Comments

Post a Comment