Validate certificate chain in PKCS#7 format
Multi tool use
up vote
2
down vote
favorite
I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).
In openssl, there's the following API :
int PKCS7_verify(PKCS7 *p7,
STACK_OF(X509) *certs,
X509_STORE *store,
BIO *indata,
BIO *out,
int flags);
However, I don't have a trusted certificate store.
I have a separate function that validate the integrity of the root certificate and that's enough for me.
Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?
thanks
openssl x509 pkcs#7 asn1
asked Nov 7 at 15:57
Zohar81
2,0621732
add a comment |
up vote
2
down vote
favorite
I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).
In openssl, there's the following API :
int PKCS7_verify(PKCS7 *p7,
STACK_OF(X509) *certs,
X509_STORE *store,
BIO *indata,
BIO *out,
int flags);
However, I don't have a trusted certificate store.
I have a separate function that validate the integrity of the root certificate and that's enough for me.
Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?
thanks
openssl x509 pkcs#7 asn1
asked Nov 7 at 15:57
Zohar81
2,0621732
NoteX509_cert_verifywhichPKCS7_verifycalls (unless you setPKCS7_NOVERIFYas Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
– dave_thompson_085
Nov 10 at 1:56
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).
In openssl, there's the following API :
int PKCS7_verify(PKCS7 *p7,
STACK_OF(X509) *certs,
X509_STORE *store,
BIO *indata,
BIO *out,
int flags);
However, I don't have a trusted certificate store.
I have a separate function that validate the integrity of the root certificate and that's enough for me.
Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?
thanks
openssl x509 pkcs#7 asn1
asked Nov 7 at 15:57
Zohar81
2,0621732
I've extracted PKCS#7 formatted in ASN1, and I'd like to verify it's certificate chain (meaning that each certificate was properly signed by the certificate above it from root to leaf).
In openssl, there's the following API :
int PKCS7_verify(PKCS7 *p7,
STACK_OF(X509) *certs,
X509_STORE *store,
BIO *indata,
BIO *out,
int flags);
However, I don't have a trusted certificate store.
I have a separate function that validate the integrity of the root certificate and that's enough for me.
Assuming that I already trust the root certificate, why do I need the store certificates structure in order to verify that the chain is properly signed ?
thanks
openssl x509 pkcs#7 asn1
openssl x509 pkcs#7 asn1
asked Nov 7 at 15:57
Zohar81
2,0621732
asked Nov 7 at 15:57
Zohar81
2,0621732
edited Nov 7 at 23:01
asked Nov 7 at 15:57
Zohar81
2,0621732
asked Nov 7 at 15:57
Zohar81
2,0621732
asked Nov 7 at 15:57
Zohar81
2,0621732
2,0621732
NoteX509_cert_verifywhichPKCS7_verifycalls (unless you setPKCS7_NOVERIFYas Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
– dave_thompson_085
Nov 10 at 1:56
add a comment |
NoteX509_cert_verifywhichPKCS7_verifycalls (unless you setPKCS7_NOVERIFYas Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).
– dave_thompson_085
Nov 10 at 1:56
Note
X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).– dave_thompson_085
Nov 10 at 1:56
Note
X509_cert_verify which PKCS7_verify calls (unless you set PKCS7_NOVERIFY as Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).– dave_thompson_085
Nov 10 at 1:56
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
The question is why do I need the store in order to verify that the chain is properly signed ?
You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.
However, I don't have a trusted certficate store.
From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".
In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56
In order to get the OpenSSLPKCS7 *structure from the ASN.1 format, you need to used2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to theX509_STOREand that should be enough forPKCS7_verify()to verify the signature as well as the certificate chain up to your trusted certificate.
– Reinier Torenbeek
Nov 7 at 23:01
Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04
My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07
Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp :140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificateany idea what it stands for ? thanks
– Zohar81
Nov 9 at 23:07
|
show 4 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
The question is why do I need the store in order to verify that the chain is properly signed ?
You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.
However, I don't have a trusted certficate store.
From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".
In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56
In order to get the OpenSSLPKCS7 *structure from the ASN.1 format, you need to used2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to theX509_STOREand that should be enough forPKCS7_verify()to verify the signature as well as the certificate chain up to your trusted certificate.
– Reinier Torenbeek
Nov 7 at 23:01
Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04
My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07
Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp :140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificateany idea what it stands for ? thanks
– Zohar81
Nov 9 at 23:07
|
show 4 more comments
up vote
1
down vote
accepted
The question is why do I need the store in order to verify that the chain is properly signed ?
You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.
However, I don't have a trusted certficate store.
From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".
In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56
In order to get the OpenSSLPKCS7 *structure from the ASN.1 format, you need to used2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to theX509_STOREand that should be enough forPKCS7_verify()to verify the signature as well as the certificate chain up to your trusted certificate.
– Reinier Torenbeek
Nov 7 at 23:01
Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04
My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07
Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp :140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificateany idea what it stands for ? thanks
– Zohar81
Nov 9 at 23:07
|
show 4 more comments
up vote
1
down vote
accepted
up vote
1
down vote
accepted
The question is why do I need the store in order to verify that the chain is properly signed ?
You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.
However, I don't have a trusted certficate store.
From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".
In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
The question is why do I need the store in order to verify that the chain is properly signed ?
You do not necessarily need a store parameter, you can set it to NULL as well and just verify the signature and not the entire chain of certificates. In that case, you should use the flag PKCS7_NOVERIFY, as explained in the manual for PKCS7_verify(). However, if you do want to verify the chain of certificates as well, you will somehow have to provide a mechanism to tell OpenSSL that you trust the root certificate and X509_STORE is a way to achieve that.
However, I don't have a trusted certficate store.
From your question, it is not entirely clear what you situation is. But you do write that you have a separate function to "validate the integrity of the root certificate".
In that case, you can instantiate an X509_STORE object with X509_STORE_new() and add your trusted certificate to it. There is an example in the OpenSSL source code tree of that in the setup_verify() function, which is for the case that the trusted certificate is available in a file. Or you could use X509_STORE_add_cert() if that fits your purpose better. After you have added that trusted certificate, you can use the store as a parameter to your PKCS7_verify() invocation.
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
edited Nov 10 at 1:39
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
answered Nov 7 at 22:40
Reinier Torenbeek
9,03222846
9,03222846
Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56
In order to get the OpenSSLPKCS7 *structure from the ASN.1 format, you need to used2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to theX509_STOREand that should be enough forPKCS7_verify()to verify the signature as well as the certificate chain up to your trusted certificate.
– Reinier Torenbeek
Nov 7 at 23:01
Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04
My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07
Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp :140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificateany idea what it stands for ? thanks
– Zohar81
Nov 9 at 23:07
|
show 4 more comments
Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56
In order to get the OpenSSLPKCS7 *structure from the ASN.1 format, you need to used2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to theX509_STOREand that should be enough forPKCS7_verify()to verify the signature as well as the certificate chain up to your trusted certificate.
– Reinier Torenbeek
Nov 7 at 23:01
Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04
My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07
Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp :140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificateany idea what it stands for ? thanks
– Zohar81
Nov 9 at 23:07
Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56
Hi and thanks for you precious help. Just to clarify, all i got is the PKCS#7 structure in asn1 format, extracted from PE file. First stage is verify the root certificate by hashing it and comparing the result to predefined whileList of certificate hashes. Then, I'd like to make sure that all the certificates in the chain were well signed by their upper level certificate (except for the root of course). So if add the root certificate to the X509_store, that would be enough for pkcs7_verify to verify the entire chain, right ?
– Zohar81
Nov 7 at 22:56
In order to get the OpenSSL
PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.– Reinier Torenbeek
Nov 7 at 23:01
In order to get the OpenSSL
PKCS7 * structure from the ASN.1 format, you need to use d2i_PKCS7_bio(), but you may have done that already. But apart from that: yes, if you trust that root certificate, you can add it to the X509_STORE and that should be enough for PKCS7_verify() to verify the signature as well as the certificate chain up to your trusted certificate.– Reinier Torenbeek
Nov 7 at 23:01
Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04
Thanks, you've confirmed my theory.
– Zohar81
Nov 7 at 23:04
My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07
My pleasure. However, the best way to get confirmation is to create a set of tests :-)
– Reinier Torenbeek
Nov 7 at 23:07
Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp :
140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks– Zohar81
Nov 9 at 23:07
Hi, after I've tried to validate my pkcs#7 in this method, I got the following error from ERR_print_error_fp :
140735569544136:error:21075075:lib(33):func(117):reason(117):pk7_smime.c:336:Verify error:unable to get local issuer certificate any idea what it stands for ? thanks– Zohar81
Nov 9 at 23:07
|
show 4 more comments
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53193110%2fvalidate-certificate-chain-in-pkcs7-format%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
k2qjmaABsm15CcUg
Note
X509_cert_verifywhichPKCS7_verifycalls (unless you setPKCS7_NOVERIFYas Reinier noted) does fairly full chain validation which is much more than just verifying each cert's signature by its parent. It also checks expiration, several extensions if present especially BC and KU, and revocation if CRLs are provided (which is rare nowadays).– dave_thompson_085
Nov 10 at 1:56