10.5. Performing X.509 Certificate Verification with OpenSSL
You have an X.509 certificate and you want to verify its validity using OpenSSL.
OpenSSL represents an X.509 certificate using an
X509 object. Another object, an
X509_STORE, must be combined with the
X509 object to be verified into an
X509_STORE_CTX object. An
X509_STORE object contains the certificates that
OpenSSL will use to verify the certificate under scrutiny, as well as
an optional CRL. The
X509_STORE_CTX object simply
X509 objects. The actual certificate verification
is performed by calling
X509_verify_cert( ) and
passing it the
Actually performing the certificate verification requires a significant amount of setup work. Much of the work should not really be necessary, but there are some issues with the current version of OpenSSL that need to be addressed. The OpenSSL team is aware of the problems we have encountered, and we anticipate that they will be fixed at some point in the future, but unfortunately, we do not know when that might be.
OpenSSL provides a set of functions for manipulating
objects, and we will be using them, but
in versions of OpenSSL up to and including the initial release of
0.9.7, no X.509 objects are reference counted while other OpenSSL
SSL_CTX, and many others) are. This presents a problem for us because much of the code that we will be presenting needs to have only a single ...