what do you mean "private certificate"? you mean the server wants to verify its own certificate before accepting connections? or the client wants to verify its own certificate before initiating connections? (i guess it doesn't matter either way, though.)
assuming you have the CA certs and the CRLs, the "openssl verify" command verifies a particular certificate (doesnt matter if it's the client's or server's certificate). you should be able to model your code after that program. any case i mention what i have done: X509_STORE *cert_ctx = NULL; X509_LOOKUP *lookup = NULL; /* free "lookup" -> crash & burn */ X509_STORE_CTX *cert_store_ctx = NULL; X509 *cert = NULL; /* some how, load into "cert" the certificate you want to verify */ cert_ctx = X509_STORE_new(); // check result /* because i have the CA certs maintained by c_rehash in a directory, i do these next two calls: */ lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); // check result result = X509_LOOKUP_add_dir(lookup, ca_dir, X509_FILETYPE_PEM); // check result cert_store_ctx = X509_STORE_CTX_new(); // check result result = X509_STORE_CTX_init(cert_store_ctx, cert_ctx, cert, NULL); // check result result = X509_verify_cert(cert_store_ctx); // if result == 0, then verification failed. otherwise, verification passed. ---------------------------------------- > Date: Sat, 7 Mar 2009 20:29:36 -0500 > From: lizv...@sisconet.com > To: openssl-users@openssl.org > Subject: Verifying private certificate before SSL connection > > Hello, > I need to implement new requirement to verify private certificate before > it is used for SSL/TLS connection. > Basically I should not use certificate that is expired or revoked. I am > working with OpenSSL 0.9.8i. > > I made function similar to what we are using to verify peer certificate > but I am experiencing crashes in X509_verify_cert function. > > I wonder if anybody is verifying private certificate used for SSL/TLS > connection? > Any tip would be greatly appreciated. > Liz > > I prepared ssl_ctx by loading CA, CRL, ciphers and private certificate. > He is code fragment showing the major steps. > SSL *ssl; > X509 *x509 = NULL; > X509_STORE_CTX *ctx; > X509_STORE *cert_store = NULL; > > ssl = SSL_new(ssl_ctx); > x509 = SSL_get_certificate (ssl); /* x509 = > SSL_get_peer_certificate (ssl); */ > cert_store = SSL_CTX_get_cert_store(ssl_ctx); > X509_STORE_set_verify_cb_func(cert_store, _verifyCertificateCallback); > ctx = X509_STORE_CTX_new(); > X509_STORE_CTX_init(ctx, cert_store, x509, NULL); > X509_verify_cert(ctx); > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org _________________________________________________________________ Windows Liveā¢ Contacts: Organize your contact list. http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
