Validating certificates without creating an X509_STORE

Tue, 13 Mar 2007 04:30:31 -0800 

Hi,

I was wondering if it was possible to validate that one certificate is 
actually signed by a CA without creating an X509 store containing the CA's 
certificate? The code in X509_check_issued sort of seems to imply that is 
(though it's quite possible that I'm reading it wrong), but the attached 
program gives rather unexpected results when run against the attached 
certificates: when I use that function, it says 
that "InvalidEESignatureTest3EE.crt" is signed by "GoodCACert.crt" when in 
fact it is not. On the other hand, when I try to validate the certificate 
against an X509_STORE containing the CA certificate, it (correctly) says it 
is not signed by the CA. Am I doing something wrong?

Thanks,

Will

#include <assert.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/sha.h>
#include <openssl/pkcs12.h>


X509 * load_asn1(const char *fname)
{
    X509 *cert;
    
    BIO *bio = BIO_new(BIO_s_file());
    if (BIO_read_filename(bio, fname) <= 0)
        return NULL;
    
    if (!(cert = d2i_X509_bio(bio, NULL)))
        return NULL;
    
    BIO_free(bio);

    return cert;
}


void validate_with_store()
{
    X509_STORE *store = NULL;
    X509_LOOKUP *lookup = NULL;

    store = X509_STORE_new();
    assert(store);

    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
    assert(lookup);

    X509_LOOKUP_load_file(lookup, "GoodCACert.crt", X509_FILETYPE_ASN1);

    X509 *cert = load_asn1("InvalidEESignatureTest3EE.crt");
    assert(cert);

    X509_STORE_CTX csc;
    X509_STORE_CTX_init(&csc, store, cert, NULL);
    int result = X509_verify_cert(&csc);
    printf("Validated cert against store. Result: %i\n", result);
    X509_STORE_CTX_cleanup(&csc);

    X509_free(cert);

    X509_STORE_free(store);
}


void validate_without_store()
{
    X509 *cert;
    cert = load_asn1("InvalidEESignatureTest3EE.crt");
    X509 *cacert;
    cacert = load_asn1("GoodCACert.crt");

    int result = X509_check_issued(cacert, cert);
    printf("Validated cert against cert. Result: %i\n", (result==X509_V_OK));

    X509_free(cert);
    X509_free(cacert);
}


int main(int argc, char *argv[])
{
    SSL_library_init();
    SSL_load_error_strings();
    ERR_load_BIO_strings();
    ERR_load_crypto_strings();
    OpenSSL_add_all_algorithms();
    OpenSSL_add_all_ciphers();
    OpenSSL_add_all_digests();   

    validate_with_store();
    validate_without_store();

    ERR_free_strings();
    EVP_cleanup();
}

Attachment: pgpLmLDYxQKy1.pgp
Description: PGP signature

Reply via email to