I'm using v1.0.0 Beta 3.
My code is perl xs glue but it looks something like this:
purpose = X509_PURPOSE_MIN - 1;
cert_store = X509_STORE_new();
revokes = crl_stack;
X509_STORE_set_flags(cert_store, 0);
vpm = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(vpm,X509_V_FLAG_X509_STRICT);
if ( revokes ) {
// .
// . perl xs stuff here
// .
if ( num_crls >= 0) {
#if (OPENSSL_VERSION_NUMBER >= 0x10000003L)
X509_VERIFY_PARAM_set_flags(vpm,X509_V_FLAG_EXTENDED_CRL_SUPPORT);
#endif
// if you pass in one crl it is assumed to be the crl to check
// for the cert being verified only
X509_VERIFY_PARAM_set_flags(vpm,X509_V_FLAG_CRL_CHECK);
if ( num_crls >= 1 ) {
// if you pass in > 1 crl then it is assumed you have
// passed in one crl for every ca in the chain
// (2do: use an explicit argument for this now that we will
// have one iCRL for all)
X509_VERIFY_PARAM_set_flags(vpm,X509_V_FLAG_CRL_CHECK_ALL);
}
}
}
if (purpose > X509_PURPOSE_MIN) {
X509_VERIFY_PARAM_set_purpose(vpm, purpose);
}
X509_STORE_set1_param(cert_store, vpm);
trusted = sk_X509_new_null();
sk_X509_push(trusted,root);
//
// The UNTRUSTED STACK (as CAs come in...)
//
untrusted = sk_X509_new_null();
for (ca_idx = 0 ; ca_idx <= num_cas; ca_idx++) {
// .
// . perl xs stuff
// .
sk_X509_push(untrusted,(X509 *)ca_cert);
}
//
// The CRL STACK
//
for (crl_idx = 0 ; crl_idx <= num_crls; crl_idx++) {
// .
// . perl xs stuff
// .
sk_X509_CRL_push(crls,(X509_CRL *)crl);
}
// The certificate store verification context and actual verification
cs_ctx = X509_STORE_CTX_new();
if (!cs_ctx) {
error="malloc error";
goto CERTIFICATE_VERIFY_FAILURE;
}
if(! X509_STORE_CTX_init(cs_ctx,cert_store,cert,untrusted)) {
error="error initializing cs_ctx";
goto CERTIFICATE_VERIFY_FAILURE;
}
X509_STORE_CTX_trusted_stack(cs_ctx, trusted);
if (purpose) X509_STORE_CTX_set_purpose(cs_ctx, purpose);
if (crls) X509_STORE_CTX_set0_crls(cs_ctx,crls);
verifyResult = X509_verify_cert(cs_ctx);
ROOT (CA0) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Red Condor, OU=PKI, CN=CA0
Validity
Not Before: Oct 11 19:36:01 2009 GMT
Not After : Oct 21 19:36:01 2010 GMT
Subject: O=Red Condor, OU=PKI, CN=CA0
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:8
X509v3 Subject Key Identifier:
A0:A0:7A:71:6C:23:26:E4:00:9A:EA:17:B9:B4:A8:7F:1D:0C:65:DE
X509v3 Authority Key Identifier:
keyid:A0:A0:7A:71:6C:23:26:E4:00:9A:EA:17:B9:B4:A8:7F:1D:0C:65:DE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
-----BEGIN CERTIFICATE-----
MIIBuTCCAWOgAwIBAgIBATANBgkqhkiG9w0BAQUFADAxMRMwEQYDVQQKEwpSZWQg
Q29uZG9yMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAMTA0NBMDAeFw0wOTEwMTExOTM2
MDFaFw0xMDEwMjExOTM2MDFaMDExEzARBgNVBAoTClJlZCBDb25kb3IxDDAKBgNV
BAsTA1BLSTEMMAoGA1UEAxMDQ0EwMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPxS
gTKr9MTRGhh8OYyNfEB0kuSpPJJOH+U9BncIQO3Ff+DMtaM2DyBlUn7TY9Xb2+5i
Yz7go/XN9QRvnhO4mp8CAwEAAaNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBCDAdBgNV
HQ4EFgQUoKB6cWwjJuQAmuoXubSofx0MZd4wHwYDVR0jBBgwFoAUoKB6cWwjJuQA
muoXubSofx0MZd4wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA0EAH3bu
6vB/XW7IBYpwqUs1sihHrTsvibg5660Ry2pD2+QUDRVvOZofOoY0T3iWETItnjM2
KcZrYtj1cYXrW9T5Dw==
-----END CERTIFICATE-----
Indirect CRL Signer (CA0iCRL) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Red Condor, OU=PKI, CN=CA0
Validity
Not Before: Oct 11 19:37:10 2009 GMT
Not After : Oct 21 19:37:10 2010 GMT
Subject: O=Red Condor, OU=PKI, CN=CA0iCRL
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:8
X509v3 Subject Key Identifier:
0E:8C:C9:D3:F4:2C:B8:6D:81:71:69:B4:2E:99:FA:08:AD:CF:A9:8F
X509v3 Authority Key Identifier:
keyid:E1:C1:46:BC:E5:6F:03:27:7A:23:C4:0B:A2:BF:F9:0F:03:BC:F8:83
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
-----BEGIN CERTIFICATE-----
MIIBvTCCAWegAwIBAgIBAjANBgkqhkiG9w0BAQUFADAxMRMwEQYDVQQKEwpSZWQg
Q29uZG9yMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAMTA0NBMDAeFw0wOTEwMTExOTM3
MTBaFw0xMDEwMjExOTM3MTBaMDUxEzARBgNVBAoTClJlZCBDb25kb3IxDDAKBgNV
BAsTA1BLSTEQMA4GA1UEAxMHQ0EwaUNSTDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgC
QQCWgKj+xxLStKZW1ydA9w4RZee56acEqpZHRXsuwLXXUOlzI3XWPlOzcbYnGW72
leoOQ36Qi9lBOow0yct/p4X5AgMBAAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQgw
HQYDVR0OBBYEFA6MydP0LLhtgXFptC6Z+gitz6mPMB8GA1UdIwQYMBaAFOHBRrzl
bwMneiPEC6K/+Q8DvPiDMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAANB
AMhSoa8Ut9/eRQiJnOsPajUcgHQiimm41u3kC9zL6SjCcVlrbfyzZiSfX2g+XFma
N6xmAhQjUEXCAOSz2WmoWuM=
-----END CERTIFICATE-----
End Entity (AdamRosenstein) <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Red Condor, OU=PKI, CN=CA0
Validity
Not Before: Oct 11 19:37:10 2009 GMT
Not After : Oct 21 19:37:10 2010 GMT
Subject: O=Red Condor, OU=PKI, CN=AdamRosenstein
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
BE:21:0B:DF:87:07:84:81:FC:82:4A:74:07:C4:23:F4:7F:3A:6E:56
X509v3 Authority Key Identifier:
keyid:E1:C1:46:BC:E5:6F:03:27:7A:23:C4:0B:A2:BF:F9:0F:03:BC:F8:83
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.redcondor.net/CA0-indirect.crl
CRL Issuer:
DirName: O = Red Condor, OU = PKI, CN = CA0iCRL
-----BEGIN CERTIFICATE-----
MIICNzCCAeGgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAxMRMwEQYDVQQKEwpSZWQg
Q29uZG9yMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAMTA0NBMDAeFw0wOTEwMTExOTM3
MTBaFw0xMDEwMjExOTM3MTBaMDwxEzARBgNVBAoTClJlZCBDb25kb3IxDDAKBgNV
BAsTA1BLSTEXMBUGA1UEAxMOQWRhbVJvc2Vuc3RlaW4wXDANBgkqhkiG9w0BAQEF
AANLADBIAkEApfAUsD6T8qVwX6iC4RRwhM41cwR+ndkZQ8ov8ot8eRH+3gV9NzFF
0sZFfHtzhC6zovonvkujYNCihHsIvbe12wIDAQABo4HYMIHVMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFL4hC9+HB4SB/IJKdAfEI/R/Om5WMB8GA1UdIwQYMBaAFOHB
RrzlbwMneiPEC6K/+Q8DvPiDMA4GA1UdDwEB/wQEAwIFoDB1BgNVHR8EbjBsMGqg
LaArhilodHRwOi8vcGtpLnJlZGNvbmRvci5uZXQvQ0EwLWluZGlyZWN0LmNybKI5
pDcwNTETMBEGA1UEChMKUmVkIENvbmRvcjEMMAoGA1UECxMDUEtJMRAwDgYDVQQD
EwdDQTBpQ1JMMA0GCSqGSIb3DQEBBQUAA0EAiziI4gGkpZRsw+o20tAOyD1yZJsA
Dq5jgehNI2lEVzrf3b0xuR4CIk/bC/uZZ+KoLcBcp8afsXBkS9WJdLxEyg==
-----END CERTIFICATE-----
CRL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /O=Red Condor/OU=PKI/CN=CA0iCRL
Last Update: Oct 20 19:37:10 2009 GMT
Next Update: Aug 17 19:37:10 2010 GMT
CRL extensions:
X509v3 Issuing Distrubution Point: critical
Full Name:
URI:http://pki.redcondor.net/CA0-indirect.crl
Indirect CRL
X509v3 Authority Key Identifier:
keyid:0E:8C:C9:D3:F4:2C:B8:6D:81:71:69:B4:2E:99:FA:08:AD:CF:A9:8F
X509v3 CRL Number:
10
Revoked Certificates:
Serial Number: 03
Revocation Date: Oct 21 19:37:10 2009 GMT
CRL entry extensions:
X509v3 Certificate Issuer: critical
DirName:/O=Red Condor/OU=PKI/CN=CA0
-----BEGIN X509 CRL-----
MIIBiTCCATMCAQEwDQYJKoZIhvcNAQEFBQAwNTETMBEGA1UEChMKUmVkIENvbmRv
cjEMMAoGA1UECxMDUEtJMRAwDgYDVQQDEwdDQTBpQ1JMFw0wOTEwMjAxOTM3MTBa
Fw0xMDA4MTcxOTM3MTBaMFkwVwIBAxcNMDkxMDIxMTkzNzEwWjBDMEEGA1UdHQEB
/wQ3MDWkMzAxMRMwEQYDVQQKEwpSZWQgQ29uZG9yMQwwCgYDVQQLEwNQS0kxDDAK
BgNVBAMTA0NBMKBvMG0wPgYDVR0cAQH/BDQwMqAtoCuGKWh0dHA6Ly9wa2kucmVk
Y29uZG9yLm5ldC9DQTAtaW5kaXJlY3QuY3JshAH/MB8GA1UdIwQYMBaAFA6MydP0
LLhtgXFptC6Z+gitz6mPMAoGA1UdFAQDAgEKMA0GCSqGSIb3DQEBBQUAA0EAiPvZ
NnPv6wh5rMiR9b4f5H2KkZiwZ8H2HDE/d/vOTQOiffnqKpQTL3b5IKK8OQhFSgIL
IiVT5d9CUhFlGmFUsw==
-----END X509 CRL-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
