how to validate a client Certificate using the trusted internediate CA certificate?

Question

I am having client Certificate "A" which is signed by the CA1 certificate. CA1 certificate is signed by the Root certificate.

Now I have the CA1 certificate (trusted ) and received Client certificate (non trusted ) . during validation I need to verify the trust path of the client certificate using CA1 (trusted) only .. I dont have /receive the Root certificate.

Is it possible to do this validation ?

I am using Openssl 1.0.0g version library. If any one know how to do that please share with me .

Answer 1

Since, you have given the Tag, ssl-certificate, I assume that you need such a validation during an SSL connection for either Server Cert Validation or Client Cert Validation.

A simple way of achieving this, by setting the verification callback using the OpenSSL API SSL_CTX_set_verify.

The gist is that, this callback will be called everytime an error is encountered during the certificate validation, so in your case, when root could not be found, then this callback will be called with the error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT. You will also have access to X509_STORE_CTX * from which you can get the details of the certificates verified so far. Using this mechanism, you can implement appropriate logic in your code to see if your End Entity and intermediate CA certs are correct and if found to be fine, you can return success from the callback, which will signal to the OpenSSL to continue with the Validation without failing the verification.

---

More details from the documentation of OpenSSL:

The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and receives two arguments: preverify_ok indicates, whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0). x509_ctx is a pointer to the complete context used for the certificate chain verification.

The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. Whenever a verification error is found, the error number is stored in x509_ctx and verify_callback is called with preverify_ok=0. By applying X509_CTX_store_* functions verify_callback can locate the certificate in question and perform additional steps (see EXAMPLES). If no error is found for a certificate, verify_callback is called with preverify_ok=1 before advancing to the next level.

The return value of verify_callback controls the strategy of the further verification process. If verify_callback returns 0, the verification process is immediately stopped with ``verification failed'' state. If SSL_VERIFY_PEER is set, a verification failure alert is sent to the peer and the TLS/SSL handshake is terminated. If verify_callback returns 1, the verification process is continued. If verify_callback always returns 1, the TLS/SSL handshake will not be terminated with respect to verification failures and the connection will be established. The calling process can however retrieve the error code of the last verification error using SSL_get_verify_result(3) or by maintaining its own error storage managed by verify_callback.

If no verify_callback is specified, the default callback will be used. Its return value is identical to preverify_ok, so that any verification failure will lead to a termination of the TLS/SSL handshake with an alert message, if SSL_VERIFY_PEER is set.