Re: verifying cert against its CA

Fri, 25 Sep 2009 10:10:55 -0700 

The code below should help you to do what you need. (Assuming that pbCA and 
pbEndUserCert pointing to memory locations that your CA and end user certs are 
loaded to.) An alternative solution can involve using the function 
"X509_STORE_load_locations" to let OpenSSL load your CA certs for you instead 
of you calling the function "X509_STORE_add_cert" to add your CA certs to the 
cert store.

    int verif_res = 0;
    X509_STORE_CTX *pCertContext = NULL;
    X509_STORE *pCAStore = NULL;

    do
    {
        OpenSSL_add_all_algorithms();

        X509_STORE* pCAStore = X509_STORE_new();
        if(pCAStore == NULL) 
        {
            break;
        }

        char *pbTempCA = (char*)pbCA;
        X509 *pX509CA = 
            d2i_X509(NULL, (const unsigned char **)&pbTempCA, dwCALen);
        if(pX509CA == NULL) 
        {
            break;
        }

        char *pbTempCert = (char*)pbEndUserCert;
        X509 *pX509EndUserCert = 
            d2i_X509(NULL, (const unsigned char **)&pbTempCert, 
                    dwEndUserCertLen);
        if(pX509EndUserCert == NULL)
        {
            break;
        }

        if(!X509_STORE_add_cert(pCAStore, pX509CA))
        {
            break;
        }

        X509_STORE_CTX *pCertContext = 
                    X509_STORE_CTX_new();
        if(pCertContext == NULL)
        {
            break;
        }

        if(!X509_STORE_CTX_init(pCertContext, 
            pCAStore, pX509EndUserCert, NULL))
        {
            break;
        }
        
        verif_res = X509_verify_cert(pCertContext);

    } while(0);

    if(pCertContext)
    {
        X509_STORE_CTX_free(pCertContext);
    }

    if(pCAStore)
    {
        X509_STORE_free(pCAStore);
    }


--- On Fri, 9/25/09, vick <[email protected]> wrote:

From: vick <[email protected]>
Subject: verifying cert against its CA
To: [email protected]
Date: Friday, September 25, 2009, 5:31 PM

I have a cert someCA.cer (the root cert) and another, the end-user
cert myenduser.cer in which the issuer is the CA who did
somethingca.cer.

I have both these certs, that's all. when i look at the cert with the
microsoft viewing tool, i see a thumbprint, and a public key and sha1
algorithm type respectively on each of these 2 certs.

I want to write or use a function that will cryptologically establish
that myenduser.cer was indeed signed by someCA.cer and how do i do
this - info is appreciated.

right now i dont see any win32 api;s to help me here. is there any
relevant source in openssl or whatever -  i dont want to insert the ca
or anyone else into a trusted store or anything like that just want to
plug these 2 certs into an algorithm and come up with the answer.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to