Introduction


The example 'C' program certverify.c demonstrates how to perform a basic certificate validation against a root certificate authority, using the OpenSSL library functions.

Example Code Listing


/* ------------------------------------------------------------ *
 * file:        certverify.c                                    *
 * purpose:     Example code for OpenSSL certificate validation *
 * author:      06/12/2012 Frank4DD                             *
 *                                                              *
 * gcc -o certverify certverify.c -lssl -lcrypto                *
 * ------------------------------------------------------------ */

#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>

int main() {

  const char ca_bundlestr[] = "./ca-bundle.pem";
  const char cert_filestr[] = "./cert-file.pem";

  BIO              *certbio = NULL;
  BIO               *outbio = NULL;
  X509          *error_cert = NULL;
  X509                *cert = NULL;
  X509_NAME    *certsubject = NULL;
  X509_STORE         *store = NULL;
  X509_STORE_CTX  *vrfy_ctx = NULL;
  int ret;

  /* ---------------------------------------------------------- *
   * These function calls initialize openssl for correct work.  *
   * ---------------------------------------------------------- */
  OpenSSL_add_all_algorithms();
  ERR_load_BIO_strings();
  ERR_load_crypto_strings();

  /* ---------------------------------------------------------- *
   * Create the Input/Output BIO's.                             *
   * ---------------------------------------------------------- */
  certbio = BIO_new(BIO_s_file());
  outbio  = BIO_new_fp(stdout, BIO_NOCLOSE);

  /* ---------------------------------------------------------- *
   * Initialize the global certificate validation store object. *
   * ---------------------------------------------------------- */
  if (!(store=X509_STORE_new()))
     BIO_printf(outbio, "Error creating X509_STORE_CTX object\n");

  /* ---------------------------------------------------------- *
   * Create the context structure for the validation operation. *
   * ---------------------------------------------------------- */
  vrfy_ctx = X509_STORE_CTX_new();

  /* ---------------------------------------------------------- *
   * Load the certificate and cacert chain from file (PEM).     *
   * ---------------------------------------------------------- */
  ret = BIO_read_filename(certbio, cert_filestr);
  if (! (cert = PEM_read_bio_X509(certbio, NULL, 0, NULL))) {
    BIO_printf(outbio, "Error loading cert into memory\n");
    exit(-1);
  }

  ret = X509_STORE_load_locations(store, ca_bundlestr, NULL);
  if (ret != 1)
    BIO_printf(outbio, "Error loading CA cert or chain file\n");

  /* ---------------------------------------------------------- *
   * Initialize the ctx structure for a verification operation: *
   * Set the trusted cert store, the unvalidated cert, and any  *
   * potential certs that could be needed (here we set it NULL) *
   * ---------------------------------------------------------- */
  X509_STORE_CTX_init(vrfy_ctx, store, cert, NULL);

  /* ---------------------------------------------------------- *
   * Check the complete cert chain can be build and validated.  *
   * Returns 1 on success, 0 on verification failures, and -1   *
   * for trouble with the ctx object (i.e. missing certificate) *
   * ---------------------------------------------------------- */
  ret = X509_verify_cert(vrfy_ctx);
  BIO_printf(outbio, "Verification return code: %d\n", ret);

  if(ret == 0 || ret == 1)
  BIO_printf(outbio, "Verification result text: %s\n",
             X509_verify_cert_error_string(vrfy_ctx->error));

  /* ---------------------------------------------------------- *
   * The error handling below shows how to get failure details  *
   * from the offending certificate.                            *
   * ---------------------------------------------------------- */
  if(ret == 0) {
    /*  get the offending certificate causing the failure */
    error_cert  = X509_STORE_CTX_get_current_cert(vrfy_ctx);
    certsubject = X509_NAME_new();
    certsubject = X509_get_subject_name(error_cert);
    BIO_printf(outbio, "Verification failed cert:\n");
    X509_NAME_print_ex(outbio, certsubject, 0, XN_FLAG_MULTILINE);
    BIO_printf(outbio, "\n");
  }

  /* ---------------------------------------------------------- *
   * Free up all structures                                     *
   * ---------------------------------------------------------- */
  X509_STORE_CTX_free(vrfy_ctx);
  X509_STORE_free(store);
  X509_free(cert);
  BIO_free_all(certbio);
  BIO_free_all(outbio);
  exit(0);
}

Compiling the Code


Compile the test program with:

> gcc -o certverify certverify.c -lssl -lcrypto

Example Output


The program expects a certificate file called cert-file.pem and a CA certificate chain file ca-bundle.pem in the same directory. If both the server and root certificates are found and loaded, the following output is produced for a successful validation:

fm@susie114:~> ./certverify
Verification return code: 1
Verification result text: ok

Below is an example for a failed validation. In this particular case, the CA certificate does not match the signature on the server certificate.

fm@susie114:~> ./certverify
Verification return code: 0
Verification result text: unable to get local issuer certificate
Verification failed cert:
countryName               = JP
stateOrProvinceName       = Tokyo
commonName                = nagios.frank4dd.com

If there is an error in loading the certificate, the verification returns a negative number.

fm@susie114:~> ./certverify
Error loading cert into memory
Verification return code: -1

Remarks


The typical error message for a failed verification, " unable to get local issuer certificate", is very vague about the real problem. Consider having a longer chain of certificates, which one is broken? What is the offending key, serial, subject, etc? In the code above, this message is also returned if the CA file does not exist. Careful programming should catch all possible cases, OpenSSL offers to implement a callback function to handle errors individually with great detail.

The OpenSSL manual page for verify explains how the certificate verification process works.

The verification mode can be additionally controlled through 15 flags. Some add debugging options, but most notably are the flags for adding checks of external certificate revocation lists (CRL). These lists are still rarely used, both by CA vendors and SSL clients. That's why we see vendors like Microsoft issuing emergency patches to disable root CA's "trusted" status (MS advisory examples 2607712, 2718704) from their CA certificate lists. With a growing number of CA, signing mistakes, key compromise or collision attacks happen more often lately, resulting in a similar growing list of invalidated root certs. Below is an example screenshot of a recent Windows XP certificate store:

invalidated, untrusted root CA's in Windows XP

In further workarounds, Microsoft developed automatic root update mechanisms for their latest OS versions. Correctly establishing trust is critical, but today it is still rather messy and often far from being timely and fully reliable.


OpenSSL Logo

Topics:

Source:

Documentation: