Reputation: 8918
Do the openssl X509_verify_cert() verifies the signature in the certificate?
Do the openssl X509_verify_cert() API verifies the RSA signature in the certificate ?
To my understanding , that API checks only certificate validity (like date check and all).
Somebody please clarify ?
Upvotes: 4
Views: 5743
Answers (2)
Reputation: 2359
API X509_verify_cert() verifies based on the Verification flag u set in the X509_store structure .
With this API u can verify the Certificate
1.Expiry
2.Issuer (Trust path)
2.1 Intermediate certificates Expiry ,
2.2 Intermediate certificates Trust chain ,
2.3 Intermediate certificates Revocation ,
3.Revocation of the Certificate against the CRL
3.1 CRL expiry
3.2 CRL Trust path
(Note : verify the CRL u need minimum one Certificate atleast in the store_ctx variable)
4.Depth of the Trust chain
5.Signature of the Certificates
Flags for different verification were mentioned in the x509_vfy.h file
/* Send issuer+subject checks to verify_cb */
#define X509_V_FLAG_CB_ISSUER_CHECK 0x1
/* Use check time instead of current time */
#define X509_V_FLAG_USE_CHECK_TIME 0x2
/* Lookup CRLs */
#define X509_V_FLAG_CRL_CHECK 0x4
/* Lookup CRLs for whole chain */
#define X509_V_FLAG_CRL_CHECK_ALL 0x8
/* Ignore unhandled critical extensions */
#define X509_V_FLAG_IGNORE_CRITICAL 0x10
/* Disable workarounds for broken certificates */
#define X509_V_FLAG_X509_STRICT 0x20
/* Enable proxy certificate validation */
#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40
/* Enable policy checking */
#define X509_V_FLAG_POLICY_CHECK 0x80
/* Policy variable require-explicit-policy */
#define X509_V_FLAG_EXPLICIT_POLICY 0x100
/* Policy variable inhibit-any-policy */
#define X509_V_FLAG_INHIBIT_ANY 0x200
/* Policy variable inhibit-policy-mapping */
#define X509_V_FLAG_INHIBIT_MAP 0x400
/* Notify callback that policy is OK */
#define X509_V_FLAG_NOTIFY_POLICY 0x800
/* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000
/* Delt1a CRL support */
#define X509_V_FLAG_USE_DELTAS 0x2000
/* Check selfsigned CA signature */
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
Upvotes: 5
Reputation:
X509_verify_cert() essentially checks a certificate's validity. That includes verifying that signatures that have signed the cert belonging to CAs are valid and are in date - it'll process the entire chain like that.
It does not, however, verify that a given RSA signature is valid - although it validates RSA signatures as part of its work, it isn't what you should use to do that.
It is, broadly speaking, like the functionality that runs when you get a certificate error browsing an SSL site.
Upvotes: 3
Related Questions
- x509 certificate verification in C
- how to verify a P12 certificate using openssl?
- How to verify a X509 certificate in C
- Verify signature in C++ using OpenSSL
- OpenSSL X509 Verify Signature with CA
- verifying the signature of x509
- How to use X509_verify()
- Openssl: Do the RSA_verify() and X509_verify_cert() uses common RSA verification code
- how can i verify the self signed certificate using openssl library in C++?
- validating X.509 certificate on linux