I use:
int verify_CAkey()
{
FILE *fp1, fp2;
X509 *A, *B;
EVP_PKEY *A_pub;
int flag;
fp1 = fopen( "CAcertA", "rb" );
fp2 = fopen( "certB", "rb" );
A = (X509 *)PEM_ASN1_read ((char *(*)(...))d2i_X509, PEM_STRING_X509,
fp1, NULL, NULL, NULL);
A_pub = X509_extract_key( A );
B = (X509 *)PEM_ASN1_read ((char *(*)(...))d2i_X509, PEM_STRING_X509,
fp2, NULL, NULL, NULL);
flag=1;
if (X509_subject_name_hash( A )==X509_issuer_name_hash( B ) &&
X509_verify( B, A_pub )==1) flag=0;
EVP_PKEY_free( A_pub );
X509_free( A );
X509_free( B );
fclose( fp1 );
fclose( fp2 );
return( flag );
}
This is sort of pseudo-code and will return 0 when it verifies and 1
when not. This is copied from other code I wrote so, as is, it may not
work. But the basic principles are there.
Robert Sandilands
Douglas Wikström wrote:
>
> hello!
>
> Suppose that I have a CA-cert A and a cert B that is signed by the
> public key of A. I am trying to figure out how to verify that B is
> certified by A:
>
> This is what I got so far (which I clearly havent compiled yet :-)
>
> /* load the cert (this works just fine) */
> fp = fopen(argv[2], "r");
> if (fp == NULL) {
> fprintf(stderr, "Failed to open certfile!\n");
> exit(1);
> }
> cert = PEM_read_X509(fp, NULL, NULL, NULL);
> if (cert == NULL) {
> fprintf(stderr, "Failed to read cert from certfile!\n");
> exit(1);
> }
> fclose(fp);
>
> ERR_load_crypto_strings();
>
> /* this is where I am confused, From reading ariels "manuals" I get the
> impression that I should create a X509_STORE that contains the ca-cert.
> Then I should init the X509_STORE_CTX with this and also an
> STACK_OF(X509) containing the cert I would like to verify with the
> ca-cert */
>
> csc = X509_STORE_CTX_new();
> if (csc == NULL) {
> fprintf(stderrr, "Failed to create store!\n");
> ERR_print_errors(bio_err);
> exit(1);
> }
> X509_STORE_CTX_init(csc, ctx, cert, uchain);
> if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);
>
> if (!X509_verify_cert(csc)) {
> fprintf(stderr, "Verification of cert failed!\n");
> exit(1);
> }
> X509_STORE_CTX_free(csc);
>
> Any hints, clarifying comments, or pointers to docs are very welcome.
>
> Best regards:
>
> Douglas
>
> --
>
> ------------------------------------------------------
> Douglas Wikström <[EMAIL PROTECTED]>
> ------------------------------------------------------
> Yes, God created Man before Woman,
> but one always makes a draft before the masterpiece.
> ------------------------------------------------------
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
