I have a certificate in X509 format. this a input parameters in a function. What I would like to do is to verify the validity of the certificate. How can it be done?
X509_verify_cert();
I found this function, but this does not accept a X509* certificate, it accepts X509_store and I only have a X509.
Thanks best regards.
See the documentation here.
You need to create a certificate store using X509_STORE_CTX_new. Then add certificate chain using X509_STORE_CTX_set_chain. Add trusted root certificate using X509_STORE_CTX_trusted_stack. Finally add certificate to be verified using X509_STORE_CTX_set_cert.
After that call X509_verify_cert.
I hope this will help you to start on this.
I am here just to post my answer as I found it with the above comments.
I had no certificate chain, so in the work I'm doing I only have a certificate generated by me programatically. I wanted to check the validity of it, so I created the following function, which checks the certificate against itself in other to verify the validity of it.
void check_certificate_validaty(X509* certificate)
{
int status;
X509_STORE_CTX *ctx;
ctx = X509_STORE_CTX_new();
X509_STORE *store = X509_STORE_new();
X509_STORE_add_cert(store, certificate);
X509_STORE_CTX_init(ctx, store, certificate, NULL);
status = X509_verify_cert(ctx);
if(status == 1)
{
printf("Certificate verified ok\n");
}else
{
printf("%s\n", X509_verify_cert_error_string(ctx->error));
}
}
Hope this helps someone :)
To verify a certificate signature, you need the public key of an issuer certificate. This issuer certificate's signature is verified with another issuing certificate (or trusted root certificate). Thus if a certificate's signature verifies all the way up a chain to a trusted root, then that certificate is considered trusted.
Self-signed certificates' signatures are verified using their own public key, like the example below:
int verify_cert(const char* pem_c_str)
{
BIO *bio_mem = BIO_new(BIO_s_mem());
BIO_puts(bio_mem, pem_c_str);
X509 * x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL);
EVP_PKEY *pkey=X509_get_pubkey(x509);
int r= X509_verify(x509, pkey);
EVP_PKEY_free(pkey);
BIO_free(bio_mem);
X509_free(x509);
return r;
}
from: http://www.zedwood.com/article/openssl-c-verify-self-signed-certificate-signature
来源:https://stackoverflow.com/questions/15836484/how-to-verify-a-x509-certificate-in-c