Hi,
I am trying to verify whether a ca signed certificate is revoked.
Openssl verify option requires following parameters:
- cert : A ca signed certificate to be verified.
- cafile: FilePath to ca certificate used to sign the certificate (cert).
*How I can find URI for this ca certificate?*
- crlfile: Can be obtained from CRL Distribution Points field in
certificate (cert).
*How I can find URI for ca certificate?*
I am trying to do the verification in my code using following example. I
tested below code by being the self CA. But if the certificates are signed
by third party CA then how to get the ca certificate used for signing.
I want my code to determine the location to pick required ca cert.
Please help:
Code example:
void handle_error(const char *file, int lineno, const char *msg)
{
fprintf(stderr, ** %s:%i %s\n, file, lineno, msg);
ERR_print_errors_fp(stderr);
exit(-1);
}
#define int_error(msg) handle_error(__FILE__, __LINE_ _, msg)
/* these are defintions to make the example simpler */
#define CA_FILE CAfile.pem
#define CA_DIR /etc/ssl
#define CRL_FILE CRLfile.pem
#define CLIENT_CERT cert.pem
int verify_callback(int ok, X509_STORE_CTX *stor)
{
if(!ok)
fprintf(stderr, Error: %s\n,
X509_verify_cert_error_string(stor-error));
return ok;
}
int main(int argc, char *argv[])
{
X509 *cert;
X509_STORE *store;
X509_LOOKUP *lookup;
X509_STORE_CTX *verify_ctx;
FILE *fp;
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
seed_prng();
/* first read the client certificate */
if (!(fp = fopen(CLIENT_CERT, r)))
int_error(Error reading client certificate file);
if (!(cert = PEM_read_X509(fp, NULL, NULL, NULL)))
int_error(Error reading client certificate in file);
fclose(fp);
/* create the cert store and set the verify callback */
if (!(store = X509_STORE_new()))
int_error(Error creating X509_STORE_CTX object);
X509_STORE_set_verify_cb_func(store, verify_callback);
/* load the CA certificates and CRLs */
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file(
fprintf(stderr, Error creating X509_LOOKUP object\n);
if (X509_LOOKUP_load_file(lookup, CA_FILE, X509_FILETYPE_PEM) != 1)
fprintf(stderr, Error reading the CA file\n);
if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file(
int_error(Error creating X509_LOOKUP object);
if (X509_load_crl_file(lookup, CRL_FILE, X509_FILETYPE_PEM) != 1)
int_error(Error reading the CRL file);
/* enabling verification against CRLs is not possible
in prior versions */
#if (OPENSSL_VERSION_NUMBER 0x00907000L)
/* set the flags of the store so that CRLs are consulted */
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
#endif
/* create a verification context and initialize it */
if (!(verify_ctx = X509_STORE_CTX_new()))
int_error(Error creating X509_STORE_CTX object);
/* X509_STORE_CTX_init did not return an error condition
in prior versions */
#if (OPENSSL_VERSION_NUMBER 0x00907000L)
if (X509_STORE_CTX_init(verify_ctx, store, cert, NULL) != 1)
int_error(Error initializing verification context);
#else
X509_STORE_CTX_init(verify_ctx, store, cert, NULL);
#endif
/* verify the certificate */
if (X509_verify_cert(verify_ctx) != 1)
int_error(Error verifying the certificate);
else
printf(Certificate verified correctly!\n);
return 0;
}
Thanks Regards,
Akash Deo