Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do the openssl X509_verify_cert() verifies the signature in the certificate?

Tags:

c

linux

openssl

Do the openssl X509_verify_cert() API verifies the RSA signature in the certificate ?

To my understanding , that API checks only certificate validity (like date check and all).

Somebody please clarify ?

like image 825
Lunar Mushrooms Avatar asked Feb 21 '23 14:02

Lunar Mushrooms

1 Answers

API X509_verify_cert() verifies based on the Verification flag u set in the X509_store structure . With this API u can verify the Certificate
1.Expiry
2.Issuer (Trust path)
2.1 Intermediate certificates Expiry ,
2.2 Intermediate certificates Trust chain ,
2.3 Intermediate certificates Revocation ,
3.Revocation of the Certificate against the CRL
3.1 CRL expiry
3.2 CRL Trust path
(Note : verify the CRL u need minimum one Certificate atleast in the store_ctx variable)
4.Depth of the Trust chain
5.Signature of the Certificates

Flags for different verification were mentioned in the x509_vfy.h file

        /* Send issuer+subject checks to verify_cb */
       #define  X509_V_FLAG_CB_ISSUER_CHECK     0x1
      /* Use check time instead of current time */
       #define  X509_V_FLAG_USE_CHECK_TIME      0x2
      /* Lookup CRLs */
      #define   X509_V_FLAG_CRL_CHECK           0x4
        /* Lookup CRLs for whole chain */
      #define   X509_V_FLAG_CRL_CHECK_ALL       0x8
        /* Ignore unhandled critical extensions */
      #define   X509_V_FLAG_IGNORE_CRITICAL     0x10
     /* Disable workarounds for broken certificates */
     #define    X509_V_FLAG_X509_STRICT         0x20
     /* Enable proxy certificate validation */
      #define   X509_V_FLAG_ALLOW_PROXY_CERTS       0x40
      /* Enable policy checking */
        #define X509_V_FLAG_POLICY_CHECK        0x80
     /* Policy variable require-explicit-policy */
   #define X509_V_FLAG_EXPLICIT_POLICY      0x100
    /* Policy variable inhibit-any-policy */
    #define X509_V_FLAG_INHIBIT_ANY         0x200
     /* Policy variable inhibit-policy-mapping */
      #define X509_V_FLAG_INHIBIT_MAP           0x400
    /* Notify callback that policy is OK */
     #define X509_V_FLAG_NOTIFY_POLICY      0x800
     /* Extended CRL features such as indirect CRLs, alternate CRL signing keys */
     #define X509_V_FLAG_EXTENDED_CRL_SUPPORT   0x1000
    /* Delt1a CRL support */
    #define X509_V_FLAG_USE_DELTAS          0x2000
     /* Check selfsigned CA signature */
   #define X509_V_FLAG_CHECK_SS_SIGNATURE       0x4000
like image 91
Balamurugan Avatar answered Feb 24 '23 14:02

Balamurugan
Sign in to Comment

Related questions

C- Socket : Programming a Client/Server-Application to send a file
Extracting I-Frames from H264 in MPEG-TS in C
printf like behaviour?
Time taken for memcpy decreases after certain point
Find huge blocks of allocated memory
OS X/Linux audio playback with an event-based interface?
Linux daemon localhost works but not the actual IP
Why do variables live longer (have bigger scopes) in Python than in C?
working with strings in c
OpenGL - maintaining aspect ratio upon window resize
_IO_wide_data_2: what's this?
Sockets UDP: Using Sender Info from Recvfrom() in Sendto() Fails
How to cancel an alarm() signal via a child process?
C malloc, memory usage only when populating
Error compiling process SIGALRM kill
Finding maximum and minimum with CUBLAS
Is this multiply-divide function correct?
Is the amount of padding in structure in C is Compiler dependent or well defined?
Free a pointer without knowing the length [duplicate]
16-bit C code compiled with GCC

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!