Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
401 views
in Technique[技术] by (71.8m points)

c - validating X.509 certificate on linux

I have just started working with X.509 certificates. Can any one tell me how to go about validating a certificate on linux? The use case is that my app had downloaded a certificate in a previous session and I have to check if it is still valid (i.e., not expired or revoked since it was stored) before starting a new session. I understand a full sample will not be possible here, but any pointers will be useful.

EDIT: Further investigation revealed another utility called Network Security Services (NSS). How does that compare to OpenSSL in terms of usability? Also, I am looking for programmatic solutions as I will not be able to launch command line utilities.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

As others mentioned, you can use openssl verify. According to the documentation, it also checks the validity period.

Programmatically, it could mean hours of searching for kinda bad (or missing) documentation, reading code examples all over the web, and probably a headache.

To properly validate a certificate, you need to inform all the intermediate certificates. Normally you'd also inform the revocation list (CRL), but it's not required.

So, here's what you need to do in terms of code (OpenSSL):

  1. X509_STORE_new - Create a certificate store;
  2. X509_STORE_CTX_new - Create a store context;
  3. X509_STORE_add_cert - Add the CA (and all intermediary) certificate(s) to the trusted list of your certificate store (note: there's a function to lookup/load a list);
  4. X509_STORE_add_crl - Add the revoked certificates to the CRL of your certificate store (note: same as above);
  5. X509_STORE_CTX_init - Initialize your store context informing your certificate store;
  6. X509_STORE_CTX_set_purpose - Define the purpose if you need so;
  7. X509_STORE_CTX_set_cert- Tell the context which certificate you're going to validate;
  8. X509_verify_cert - Finally, validate it;
  9. X509_STORE_CTX_cleanup - If you want to reuse the context to validate another certificate, you clean it up and jump back to (5);
  10. Last but not least, deallocate (1) and (2);

Alternatively, a quick validation can be done with X509_verify. However, be aware that it compares signatures solely.

When I needed it, took me a day of searching, reading and testing. Then I figured out everything I needed was right in the OpenSSL source-code. So, if you need an example, go straight to openssl-xxx/apps/verify.c.

IMPORTANT: NEVER use MD5. To understand the reason, read Creating a rogue CA certificate.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...