Not really a proper Perl solution, but I couldn't find out how to make the low level routines in Net::SSLeay work (the documentation states that the certificate verification code isn't well tested). Anyway, here's an Inline C bit of code that works on Debian Stretch:
use strict;
use warnings;
use Inline Config =>
force_build => 0,
clean_after_build => 1;
use Inline C => 'DATA';
use Inline C => Config =>
DIRECTORY => "/tmp" =>
enable => 'UNTAINT' =>
inc => '-I/usr/include' =>
libs => ' -lssl -lcrypto ';
my $CAfile = "cacert.pem";
my $Cert = "good.crt";
my $Cert2 = "selfsigned.crt";
print "cert1 = " . verify_cert($CAfile, $Cert) . "\n";
print "cert2 = " . verify_cert($CAfile, $Cert2) . "\n";
__DATA__
__C__
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>
char *verify_cert(char *ca_bundlestr, char *cert_filestr) {
BIO *certbio = NULL;
BIO *outbio = NULL;
X509 *error_cert = NULL;
X509 *cert = NULL;
X509_NAME *certsubject = NULL;
X509_STORE *store = NULL;
X509_STORE_CTX *vrfy_ctx = NULL;
int ret;
char *retmsg;
OpenSSL_add_all_algorithms();
ERR_load_BIO_strings();
ERR_load_crypto_strings();
certbio = BIO_new(BIO_s_file());
if (!(store=X509_STORE_new())) {
size_t needed = snprintf(NULL, 0, "Error creating X509_STORE_CTX
+object") + 1;
retmsg = malloc(needed);
snprintf(retmsg, needed, "Error creating X509_STORE_CTX object");
goto done;
}
vrfy_ctx = X509_STORE_CTX_new();
ret = BIO_read_filename(certbio, cert_filestr);
if (! (cert = PEM_read_bio_X509(certbio, NULL, 0, NULL))) {
size_t needed = snprintf(NULL, 0, "Error loading cert into memory
+") + 1;
retmsg = malloc(needed);
snprintf(retmsg, needed, "Error loading cert into memory");
goto done;
}
ret = X509_STORE_load_locations(store, ca_bundlestr, NULL);
if (ret != 1) {
size_t needed = snprintf(NULL, 0, "Error loading CA cert or chain
+ file") + 1;
retmsg = malloc(needed);
snprintf(retmsg, needed, "Error loading CA cert or chain file");
goto done;
}
X509_STORE_CTX_init(vrfy_ctx, store, cert, NULL);
ret = X509_verify_cert(vrfy_ctx);
if( ret == 0 ) {
size_t needed = snprintf(NULL, 0, "Error %s", X509_verify_cert_er
+ror_string(X509_STORE_CTX_get_error (vrfy_ctx))) + 1;
retmsg = malloc(needed);
snprintf(retmsg, needed, "Error %s", X509_verify_cert_error_strin
+g(X509_STORE_CTX_get_error (vrfy_ctx)));
} else {
size_t needed = snprintf(NULL, 0, "OK") + 1;
retmsg = malloc(needed);
snprintf(retmsg, needed, "OK");
}
done:
X509_STORE_CTX_free(vrfy_ctx);
X509_STORE_free(store);
X509_free(cert);
BIO_free_all(certbio);
return( retmsg );
}
running it:
$ perl verify_certs.pl
cert1 = OK
cert2 = Error self signed certificate
(code is based on this source:
original C code )
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
