All,I'm trying to use OpenSSL in a rather peculiar way, and I wonder if anyone here can help me out. I have two peers. Each has an RSA public-private key pair and a self-signed X509 certificate. What I'd like to do is establish a TLS connection between the two of them where each can learn the public key fingerprint of the party on the other side, and also verify that the party on the other side knows the corresponding private key. I don't want to accept any other kind of connections. In particular, any request from a party with no certificate or a non-self-signed certificate should be rejected.
The idea here is that I'm using a peer's public key as its identity. I don't care what it's "real" name is, or about any of the rest of the information in the X509 certificate for that matter. All I care is that it knows the private key corresponding to the public key that it's using as its identity.
From the code I've played with so far, it seems that I'll need to call SSL_CTX_set_verify with a callback that catches the error OpenSSL generates when it finds a self-signed, non-root certificate, and do my check in there. But I can't figure out what functions to use to check the signature on the self-signed cert, or how to confirm that the public key in that cert is the same as the one the peer is trying to use to authenticate the connection.
Am I making any sense? Any ideas?
Thanks,
Sean
--
Other people can talk about how to expand the destiny of mankind.
I just want to talk about how to fix a motorcycle. I think that
what I have to say has more lasting value.
-- Robert M. Pirsig, Zen and the Art of Motorcycle Maintenance
PGP.sig
Description: This is a digitally signed message part
