Andreas Hoffmann wrote:
> Hi,
> how can I verify multiple single DER-encoded certificates which I
> recieve from a gateway and which represent a cert-chain alltogether.
>
> I think this should be done like this (PseudoCode):
> foreach (cert from chain)
> check, if it was signed by the CA of the previous cert
> Check if one of the certs is a trusted one (ideally this should be the
> Root-CA?)
This is much too easy. Usually you do not know anything
about the order in which the certificates are presented,
so it is more something like:
Find the certificate of the end-entity (server or client).
Until (actual_certificate in set of trusted certificates) do
issuer_certificate=find_issuer_certificate(actual_certificate)
check_signature(actual_certificate, issuer_certificate)
exit_on_failure
actual_certificate=issuer_certificate
done
There is additional complexity in finding the issuer
certificate, for example there may be multiple issuer
certificates for the actual certificate to be checked
(so all pathes have to be evaluated). This is essential
to cope with cross-certificates.
A more detailed description of the algorithm for checking
of certificate chains is in RFC 3280, Section 6: Certificate
Path Validation. This is the way to do it, I would say.
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
