Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

Re: NET::SSLeay to verify certificates?

by rdfield (Priest)
on Oct 04, 2018 at 13:54 UTC ( #1223519=note: print w/replies, xml ) Need Help??


in reply to NET::SSLeay to verify certificates?

Not really a proper Perl solution, but I couldn't find out how to make the low level routines in Net::SSLeay work (the documentation states that the certificate verification code isn't well tested). Anyway, here's an Inline C bit of code that works on Debian Stretch:
use strict; use warnings; use Inline Config => force_build => 0, clean_after_build => 1; use Inline C => 'DATA'; use Inline C => Config => DIRECTORY => "/tmp" => enable => 'UNTAINT' => inc => '-I/usr/include' => libs => ' -lssl -lcrypto '; my $CAfile = "cacert.pem"; my $Cert = "good.crt"; my $Cert2 = "selfsigned.crt"; print "cert1 = " . verify_cert($CAfile, $Cert) . "\n"; print "cert2 = " . verify_cert($CAfile, $Cert2) . "\n"; __DATA__ __C__ #include <openssl/bio.h> #include <openssl/err.h> #include <openssl/pem.h> #include <openssl/x509.h> #include <openssl/x509_vfy.h> char *verify_cert(char *ca_bundlestr, char *cert_filestr) { BIO *certbio = NULL; BIO *outbio = NULL; X509 *error_cert = NULL; X509 *cert = NULL; X509_NAME *certsubject = NULL; X509_STORE *store = NULL; X509_STORE_CTX *vrfy_ctx = NULL; int ret; char *retmsg; OpenSSL_add_all_algorithms(); ERR_load_BIO_strings(); ERR_load_crypto_strings(); certbio = BIO_new(BIO_s_file()); if (!(store=X509_STORE_new())) { size_t needed = snprintf(NULL, 0, "Error creating X509_STORE_CTX +object") + 1; retmsg = malloc(needed); snprintf(retmsg, needed, "Error creating X509_STORE_CTX object"); goto done; } vrfy_ctx = X509_STORE_CTX_new(); ret = BIO_read_filename(certbio, cert_filestr); if (! (cert = PEM_read_bio_X509(certbio, NULL, 0, NULL))) { size_t needed = snprintf(NULL, 0, "Error loading cert into memory +") + 1; retmsg = malloc(needed); snprintf(retmsg, needed, "Error loading cert into memory"); goto done; } ret = X509_STORE_load_locations(store, ca_bundlestr, NULL); if (ret != 1) { size_t needed = snprintf(NULL, 0, "Error loading CA cert or chain + file") + 1; retmsg = malloc(needed); snprintf(retmsg, needed, "Error loading CA cert or chain file"); goto done; } X509_STORE_CTX_init(vrfy_ctx, store, cert, NULL); ret = X509_verify_cert(vrfy_ctx); if( ret == 0 ) { size_t needed = snprintf(NULL, 0, "Error %s", X509_verify_cert_er +ror_string(X509_STORE_CTX_get_error (vrfy_ctx))) + 1; retmsg = malloc(needed); snprintf(retmsg, needed, "Error %s", X509_verify_cert_error_strin +g(X509_STORE_CTX_get_error (vrfy_ctx))); } else { size_t needed = snprintf(NULL, 0, "OK") + 1; retmsg = malloc(needed); snprintf(retmsg, needed, "OK"); } done: X509_STORE_CTX_free(vrfy_ctx); X509_STORE_free(store); X509_free(cert); BIO_free_all(certbio); return( retmsg ); }
running it:
$ perl verify_certs.pl cert1 = OK cert2 = Error self signed certificate
(code is based on this source: original C code )

rdfield

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1223519]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (9)
As of 2021-03-01 10:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?