what do you mean "private certificate"? you mean the server wants to verify its 
own certificate before accepting connections? or the client wants to verify its 
own certificate before initiating connections? (i guess it doesn't matter 
either way, though.)

assuming you have the CA certs and the CRLs, the "openssl verify" command 
verifies a particular certificate (doesnt matter if it's the client's or 
server's certificate). you should be able to model your code after that 
program. any case i mention what i have done:


X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL; /* free "lookup" -> crash & burn */
X509_STORE_CTX *cert_store_ctx = NULL;
X509 *cert = NULL;

/* some how, load into "cert" the certificate you want to verify */

cert_ctx = X509_STORE_new();
// check result

/* because i have the CA certs maintained by c_rehash in a
   directory, i do these next two calls: */

lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
// check result

result = X509_LOOKUP_add_dir(lookup, ca_dir, X509_FILETYPE_PEM);
// check result

cert_store_ctx = X509_STORE_CTX_new();
// check result

result = X509_STORE_CTX_init(cert_store_ctx, cert_ctx, cert, NULL);
// check result

result = X509_verify_cert(cert_store_ctx);
// if result == 0, then verification failed. otherwise, verification passed.




----------------------------------------
> Date: Sat, 7 Mar 2009 20:29:36 -0500
> From: lizv...@sisconet.com
> To: openssl-users@openssl.org
> Subject: Verifying private certificate before SSL connection
>
> Hello,
> I need to implement new requirement to verify private certificate before
> it is used for SSL/TLS connection.
> Basically I should not use certificate that is expired or revoked. I am
> working with OpenSSL 0.9.8i.
>
> I made function similar to what we are using to verify peer certificate
> but I am experiencing crashes in X509_verify_cert function.
>
> I wonder if anybody is verifying private certificate used for SSL/TLS
> connection?
> Any tip would be greatly appreciated.
> Liz
>
> I prepared ssl_ctx by loading CA, CRL, ciphers and private certificate.
> He is code fragment showing the major steps.
> SSL *ssl;
> X509 *x509 = NULL;
> X509_STORE_CTX *ctx;
> X509_STORE *cert_store = NULL;
>
> ssl = SSL_new(ssl_ctx);
> x509 = SSL_get_certificate (ssl); /* x509 =
> SSL_get_peer_certificate (ssl); */
> cert_store = SSL_CTX_get_cert_store(ssl_ctx);
> X509_STORE_set_verify_cb_func(cert_store, _verifyCertificateCallback);
> ctx = X509_STORE_CTX_new();
> X509_STORE_CTX_init(ctx, cert_store, x509, NULL);
> X509_verify_cert(ctx);
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org

_________________________________________________________________
Windows Liveā„¢ Contacts: Organize your contact list. 
http://windowslive.com/connect/post/marcusatmicrosoft.spaces.live.com-Blog-cns!503D1D86EBB2B53C!2285.entry?ocid=TXT_TAGLM_WL_UGC_Contacts_032009______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to