10.5. Performing X.509 Certificate Verification with OpenSSL
Problem
You have an X.509 certificate and you want to verify its validity using OpenSSL.
Solution
OpenSSL represents an X.509 certificate using an
X509
object. Another object, an
X509_STORE
, must be combined with the
X509
object to be verified into an
X509_STORE_CTX
object. An
X509_STORE
object contains the certificates that
OpenSSL will use to verify the certificate under scrutiny, as well as
an optional CRL. The X509_STORE_CTX
object simply
combines the X509_STORE
and
X509
objects. The actual certificate verification
is performed by calling X509_verify_cert( )
and
passing it the X509_STORE_CTX
object.
Discussion
Actually performing the certificate verification requires a significant amount of setup work. Much of the work should not really be necessary, but there are some issues with the current version of OpenSSL that need to be addressed. The OpenSSL team is aware of the problems we have encountered, and we anticipate that they will be fixed at some point in the future, but unfortunately, we do not know when that might be.
OpenSSL provides a set of functions for manipulating
X509_STORE
objects, and we will be using them, but
in versions of OpenSSL up to and including the initial release of
0.9.7, no X.509 objects are reference counted while other OpenSSL
objects (including EVP_PKEY
,
SSL_CTX
, and many others) are. This presents a problem for us because much of the code that we will be presenting needs to have only a single ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.