CODEWITHSUNDEEP
opensslx509pkcs#7asn.1
Zohar81
Zohar81

Reputation: 5074

Validate certificate chain in PKCS#7 format

I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).

In openssl, there's the following API : 

int PKCS7_verify(PKCS7 *p7, 
                 STACK_OF(X509) *certs, 
                 X509_STORE *store, 
                 BIO *indata, 
                 BIO *out, 
                 int flags);

However, I don't have a trusted certificate store.

I have a separate function that validate the integrity of the root certificate and that's enough for me.

Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?

thanks

Upvotes: 1

Views: 1869

Answers (1)

Reinier Torenbeek
Reinier Torenbeek

Reputation: 17383

The question is why do I need the store in order to verify that the chain is properly signed ?

You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.

However, I don't have a trusted certficate store.

From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".

In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.

Upvotes: 1

Related Questions