/*
* this function will verify a cert, given CA cert & crl from MEMORY.
* this functions is derived from eay_check_x509cert().
*/
int rsj_check_x509cert(vchar_t *cert, vchar_t *cacert, vchar_t *cacrl, int local)
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
X509 *x509 = NULL, *ca_x509=NULL;
X509_CRL *caCRL = NULL;
X509_STORE_CTX *csc;
int error = -1;
cert_ctx = X509_STORE_new();
if (!cert_ctx)
goto end;
if (local)
X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
else
X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);
/* read CA cert from memory(.pem format) */
ca_x509 = mem2x509_s(cacert);
if (!ca_x509)
{
printf("[ERROR] : rsj_check_x509cert() :unable to get CA x509 from memory.\n");
goto end;
}
/* load CA cert in cert context */
if( (error = X509_STORE_add_cert(cert_ctx, ca_x509)) != 1)
goto end;
/* load crl if provided, CRL is optional */
if(cacrl)
{
/* read CA CRL from memory(.pem format) */
caCRL = mem2x509crl_bio(cacrl);
if (!caCRL)
{
printf("[ERROR] : rsj_check_x509cert() :unable to get CA x509 CRL from memory.\n");
goto end;
}
/* load CA crl in cert context */
if( (error = X509_STORE_add_crl(cert_ctx, caCRL)) != 1)
goto end;
}
/* read the certificate to be verified */
x509 = mem2x509(cert);
if (!x509)
{
printf("[[ERROR] : rsj_check_x509cert() :unable to get x509 cert from memory.\n");
goto end;
}
/* This is done to read cert */
OpenSSL_add_all_digests();
csc = X509_STORE_CTX_new();
if (!csc)
goto end;
if( ( error = X509_STORE_CTX_init(csc, cert_ctx, x509, NULL)) != 1)
goto end;
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
#endif
error = -1; /* initialized */
error = X509_verify_cert(csc);
X509_STORE_CTX_cleanup(csc);
/*
* if x509_verify_cert() is successful then the value of error is
* set non-zero.
*/
error = error ? 0 : -1;
end:
if (error)
printf("\n [ERROR] : rsj_verify_x509cert() :%s\n", eay_strerror());
if (cert_ctx)
{
X509_STORE_free(cert_ctx);
}
if (x509)
{
X509_free(x509);
}
if (ca_x509)
{
X509_free(ca_x509);
}
if (caCRL)
{
X509_CRL_free(caCRL);
}
return(error);
}
Regards,
RSJ