All geek questions in one place

Does the openssl X509_verify_cert () signature sign on the certificate?

Do openssl X509_verify_cert () API validate RSA signature in certificate?

As far as I understand, this API only checks the validity of the certificate (for example, checking the date and all).

Someone please clarify?

+4
source share
2 answers

X509_verify_cert() substantially verifies the validity of the certificate. This includes verifying that the signatures that signed the certificate belonging to the CA are valid and on a date - it will process the whole chain like that.

However, it does not confirm that this RSA signature is valid - although it does verify RSA signatures as part of its work, this is not something you should use to do this.

This, in general, is like a function that works when you get a certificate error while browsing the SSL site.

+3
source

The X509_verify_cert () API is checked based on the u confirmation flag set in the X509_store structure. With this API you can verify the certificate
1.Expiry
2.Issuer (path of trust)
2.1 Interim certificates
2.2 Interim certificates Target chain,
2.3 Intermediate certificates
3.Certificate verification against CRL
3.1 Validity of CRL
3.2 CRL Trust Trust
(Note: make sure CRL u requires at least one certificate in at least the store_ctx variable)
4. Target Network Deficit
5.Agreement of certificates

Flags for various checks were mentioned in the file x509_vfy.h

  /* Send issuer+subject checks to verify_cb */ #define X509_V_FLAG_CB_ISSUER_CHECK 0x1 /* Use check time instead of current time */ #define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Lookup CRLs */ #define X509_V_FLAG_CRL_CHECK 0x4 /* Lookup CRLs for whole chain */ #define X509_V_FLAG_CRL_CHECK_ALL 0x8 /* Ignore unhandled critical extensions */ #define X509_V_FLAG_IGNORE_CRITICAL 0x10 /* Disable workarounds for broken certificates */ #define X509_V_FLAG_X509_STRICT 0x20 /* Enable proxy certificate validation */ #define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 /* Enable policy checking */ #define X509_V_FLAG_POLICY_CHECK 0x80 /* Policy variable require-explicit-policy */ #define X509_V_FLAG_EXPLICIT_POLICY 0x100 /* Policy variable inhibit-any-policy */ #define X509_V_FLAG_INHIBIT_ANY 0x200 /* Policy variable inhibit-policy-mapping */ #define X509_V_FLAG_INHIBIT_MAP 0x400 /* Notify callback that policy is OK */ #define X509_V_FLAG_NOTIFY_POLICY 0x800 /* Extended CRL features such as indirect CRLs, alternate CRL signing keys */ #define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 /* Delt1a CRL support */ #define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
+2
source

Source: https://habr.com/ru/post/1411262/

More articles:


All Articles