How to check X509 certificate on C

Question

How to check X509 certificate on C

I have a certificate in X509 format. these are the input parameters to the function. I would like to verify the validity of the certificate. How can I do that?

X509_verify_cert();

I found this function, but it does not accept X509 * certificate, it accepts X509_store, and I only have X509.

Thanks with best regards.

+7

c certificate openssl x509certificate x509

mmm Apr 05 '13 at 14:27

source share

3 answers

I am here to post my answer when I found it with the comments above.

I did not have a certificate chain, so in the work that I do, I only have the program code generated by me. I wanted to verify its authenticity, so I created the following function, which checks the certificate for itself in another, to verify its authenticity.

 void check_certificate_validaty(X509* certificate) { int status; X509_STORE_CTX *ctx; ctx = X509_STORE_CTX_new(); X509_STORE *store = X509_STORE_new(); X509_STORE_add_cert(store, certificate); X509_STORE_CTX_init(ctx, store, certificate, NULL); status = X509_verify_cert(ctx); if(status == 1) { printf("Certificate verified ok\n"); }else { printf("%s\n", X509_verify_cert_error_string(ctx->error)); } }

Hope this helps someone :)

+14

mmm Apr 7 '13 at 13:10

source share

To verify the signature of the certificate, you need the public key of the issuer certificate. This signature of the issuer's certificate is verified by another issuing certificate (or a trusted root certificate). Thus, if the certificate signature verifies the entire chain to a trusted root, then this certificate is considered trusted.

Signatures of fake certificates are verified using their own public key, as shown below:

 int verify_cert(const char* pem_c_str) { BIO *bio_mem = BIO_new(BIO_s_mem()); BIO_puts(bio_mem, pem_c_str); X509 * x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL); EVP_PKEY *pkey=X509_get_pubkey(x509); int r= X509_verify(x509, pkey); EVP_PKEY_free(pkey); BIO_free(bio_mem); X509_free(x509); return r; }

from: http://www.zedwood.com/article/openssl-c-verify-self-signed-certificate-signature

+3

velcrow Oct 28 '14 at 20:16

source share

doptimusprime · Accepted Answer · 2013-04-05T15:44:05+0000

See the documentation here .

You need to create a certificate store using X509_STORE_CTX_new. Then add the certificate chain using X509_STORE_CTX_set_chain. Add a trusted root certificate using X509_STORE_CTX_trusted_stack. Finally, add the certificate to verify with X509_STORE_CTX_set_cert.

After this call, X509_verify_cert.

Hope this helps you get started.

How to check X509 certificate on C

More articles: