RSA BSAFE SSL-C

Security protocol components for C

Search

Certificate Verification Functions

This section describes the functions which customize the SSL protocol's certificate verification functionality.

Typedefs

typedef int SSL_CTX_CERT_VERIFY_CB_T (SSLCERT_STORE_CTX *store_ctx, char *arg)
 The prototype for a user-defined verification routine. More...

typedef int SSL_CTX_APP_VERIFY_CB_T (SSL *ssl, SSLCERT **certs, int num, char *arg, long *verify_result)
 The prototype for a user-defined verification callback function. More...

typedef int SSL_VERIFY_CB_T (int ok, SSLCERT_STORE_CTX *store_ctx)
 The prototype for a user-defined extension to the default internal verification callback. More...


Functions

SSLCERT_STORESSL_CTX_get_cert_store (SSL_CTX *ctx)
 Returns the structure for storing all data required for verification of a certificate chain for the SSL_CTX ctx. More...

void SSL_CTX_set_cert_store (SSL_CTX *, SSLCERT_STORE *)
 Specifies the SSLCERT_STORE store which stores all data required for verification of a certificate chain for the SSL_CTX ctx. More...

void SSL_CTX_set_verify_depth (SSL_CTX *ssl_ctx, int depth)
 Sets the verification depth for the SSL_CTX. More...

int SSL_CTX_get_verify_depth (SSL_CTX *ssl_ctx)
 Returns the certificate verification depth and limits the number of certificates in a chain. More...

int SSL_CTX_get_verify_mode (SSL_CTX *ctx)
 Returns the certificate verification mode for the SSL_CTX ctx. More...

void SSL_CTX_set_verify_mode (SSL_CTX *ctx, int mode)
 Sets the mode for the verification of peer certificates. More...

void SSL_CTX_set_cert_verify_cb (SSL_CTX *ctx, SSL_CTX_CERT_VERIFY_CB_T *cb, char *arg)
 Sets a user-defined certificate verification callback against the SSL_CTX. More...

void SSL_CTX_set_app_verify_cb (SSL_CTX *ctx, SSL_CTX_APP_VERIFY_CB_T *cb, char *arg)
 Sets the application verification callback for the SSL_CTX ctx. More...

SSL_CTX_APP_VERIFY_CB_TSSL_CTX_get_app_verify_cb (SSL_CTX *ctx)
 Returns the application-supplied verification callback associated with the SSL_CTX. More...

char* SSL_CTX_get_app_verify_cb_arg (SSL_CTX *ctx)
 Returns the address of the user-defined application verification callback argument for the SSL_CTX ctx. More...

int SSL_CTX_set_default_verify_paths (SSL_CTX *ctx)
 Associates the pre-defined path and filenames for certificate verification with the SSL_CTX in a similar way to SSL_CTX_load_verify_locations(). More...

int SSL_CTX_load_verify_locations (SSL_CTX *ctx, char *CAfile, char *CApath)
 Specifies the directories, filenames and location of trusted certificates. More...

int SSL_CTX_add_certificate_to_store (SSL_CTX *ctx, SSLCERT *cert)
 Adds a certificate to the store managed by the SSL_CTX structure. More...

void SSL_CTX_set_verify (SSL_CTX *ctx, int mode, SSL_VERIFY_CB_T *cb)
 Sets a certificate verification callback against the SSL_CTX that extends the default internal verification. More...

void SSL_set_verify (SSL *ssl, int mode, SSL_VERIFY_CB_T *cb)
 Sets a certificate verification callback against the SSL_CTX that extends the default internal verification. More...

void SSL_CTX_set_verify_cb (SSL_CTX *ctx, SSL_VERIFY_CB_T *cb)
 Sets a certificate verification callback against the SSL_CTX that extends the default internal verification. More...

SSL_VERIFY_CB_TSSL_CTX_get_verify_cb (SSL_CTX *ctx)
 Returns the certificate verification callback set against the SSL_CTX. More...

void SSL_set_verify_cb (SSL *s, SSL_VERIFY_CB_T *cb)
 Sets a certificate verification callback against the SSL_CTX that extends the default internal verification. More...

SSL_VERIFY_CB_TSSL_get_verify_cb (SSL *ssl)
 Returns the certificate verification callback set against the SSL. More...

void SSL_set_verify_result (SSL *ssl, long verify)
 Sets the result of the certificate verification callback. More...

long SSL_get_verify_result (SSL *ssl)
 Returns the result of the certificate verification function. More...

int SSL_get_verify_depth (SSL *ssl)
 Returns the certificate verification depth and limits the number of certificates in a chain. More...

void SSL_set_verify_depth (SSL *ssl, int depth)
 Sets the verification depth for the SSL and determines the maximum number of certificates acceptable in a chain. More...

int SSL_get_verify_mode (SSL *ssl)
 Returns the certificate verification mode. More...

void SSL_set_verify_mode (SSL *ssl, int mode)
 Sets the verification mode for the SSL. More...

int SSLCERT_verify (SSLCERT *cert, EVP_PKEY *pkey)
 Verifies the SSLCERT certificate cert using the public key pkey. More...

int SSLCERT_get_notAfter (SSLCERT *cert, unsigned int *type, unsigned char **pp, long *length)
 Returns a reference to the string representation of the NotAfter field of the specified certificate. More...

int SSLCERT_get_notBefore (SSLCERT *cert, unsigned int *type, unsigned char **pp, long *length)
 Returns a reference to the string representation of the NotBefore field of the specified certificate. More...

int SSLCERT_subject_name_cmp (SSLCERT *cert1, SSLCERT *cert2)
 Compares the subject names of the two specified SSLCERT structures cert1 and cert2. More...

int SSLCERT_SKI_keyid_cmp (SSLCERT *cert1, SSLCERT *cert2)
 Compares the Subject Key Identifier (SKI) key ids of the two specified SSLCERT structures cert1 and cert2. More...

int SSLCERT_check_private_key (SSLCERT *cert, EVP_PKEY *pkey)
 Checks that the passed private key pkey was used when signing the certificate cert. More...

int SSLCERT_verify_signature (int alg_id, unsigned char *data, unsigned int dlen, unsigned char *signature, unsigned int slen, EVP_PKEY *pubkey)
 Verifies the signature value by generating a hash of the data and comparing it with the hash retrieved from the signature data using the public key. More...

Typedef Documentation

typedef int SSL_CTX_APP_VERIFY_CB_T(SSL *ssl, SSLCERT **certs, int num, char *arg, long *verify_result)
 

The prototype for a user-defined verification callback function.

Parameters:
ssl [In] An SSL reference.
ptr [In] The array of certificate pointers.
num [In] The number of certificate pointers.
arg [In] A caller-defined pointer argument.
verify_result [Out] The result of the verification.
One of Certificate Verification States.
Returns:
1 indicates success.
0 indicates error.
See also:
SSL_CTX_set_app_verify_cb(), SSL_CTX_get_app_verify_cb() and SSL_CTX_get_app_verify_cb_arg().

typedef int SSL_CTX_CERT_VERIFY_CB_T(SSLCERT_STORE_CTX *store_ctx, char *arg)
 

The prototype for a user-defined verification routine. This callback has access to the full SSLCERT_STORE Application Programming Interface (API).

Parameters:
store_ctx [In] The SSLCERT_STORE_CTX reference where the peer certificate chain is stored.
arg [In] A caller-defined pointer argument.
See also:
SSL_CTX_set_cert_verify_cb().

typedef int SSL_VERIFY_CB_T(int ok, SSLCERT_STORE_CTX *store_ctx)
 

The prototype for a user-defined extension to the default internal verification callback.

Parameters:
ok [In] The return status of the default internal verification callback. One of:
  • 0 indicates success.
  • 1 indicates error.
    • store_ctx [In] The certificate store holding the peer certificate chain.
    Returns:
    1 indicates success.
    0 indicates error.
    See also:
    SSL_CTX_set_verify_cb(), SSL_CTX_get_verify_cb(), SSL_set_verify_cb() and SSL_get_verify_cb().

    Function Documentation

    int SSL_CTX_add_certificate_to_store SSL_CTX   ctx,
    SSLCERT   cert
    ;
     

    Adds a certificate to the store managed by the SSL_CTX structure. The certificate can then be used for any certificate chain verification.

    Parameters:
    ctx [In] The SSL_CTX reference.
    cert [In] The SSLCERT reference.
    Returns:
    1 indicates success.
    0 indicates error.
    See also:
    SSL_CTX_load_verify_locations().

    SSL_CTX_APP_VERIFY_CB_T* SSL_CTX_get_app_verify_cb SSL_CTX   ctx ;
     

    Returns the application-supplied verification callback associated with the SSL_CTX.

    Parameters:
    ctx [In] The SSL_CTX reference from which to retrieve the default callback reference.
    Returns:
    The verification callback.
    NULL indicates no callbacks have been set.
    See also:
    SSL_CTX_set_app_verify_cb().

    char* SSL_CTX_get_app_verify_cb_arg SSL_CTX   ctx ;
     

    Returns the address of the user-defined application verification callback argument for the SSL_CTX ctx. This argument is passed to the application verification callback by SSL_CTX_set_app_verify_cb().

    Parameters:
    ctx [In] The SSL_CTX reference from which to retrieve the default callback argument.
    Returns:
    The callback argument.
    NULL indicates the argument is not set.
    See also:
    SSL_CTX_set_app_verify_cb() and SSL_CTX_get_app_verify_cb().

    SSLCERT_STORE* SSL_CTX_get_cert_store SSL_CTX   ctx ;
     

    Returns the structure for storing all data required for verification of a certificate chain for the SSL_CTX ctx.

    Parameters:
    ctx [In] The SSL_CTX reference that holds the X.509 store.
    Returns:
    A reference to the SSLCERT_STORE that is bound to the SSL_CTX.
    See also:
    SSL_CTX_set_cert_store().

    SSL_VERIFY_CB_T* SSL_CTX_get_verify_cb SSL_CTX   ctx ;
     

    Returns the certificate verification callback set against the SSL_CTX.

    Parameters:
    ctx [In] The SSL_CTX reference where the callback is set.
    Returns:
    A reference to the callback if set.
    NULL indicates error.

    int SSL_CTX_get_verify_depth SSL_CTX   ctx ;
     

    Returns the certificate verification depth and limits the number of certificates in a chain.

    Parameters:
    ctx [In] The SSL_CTX reference where the depth is set.
    Returns:
    -1 indicates the depth was not set.
    Otherwise indicates depth.

    int SSL_CTX_get_verify_mode SSL_CTX   ctx ;
     

    Returns the certificate verification mode for the SSL_CTX ctx.

    Parameters:
    ctx [In] The SSL_CTX reference from which to retrieve the default verify mode.
    Returns:
    The verification mode.
    See Verification Modes for valid values.
    See also:
    SSL_CTX_set_verify_mode().

    int SSL_CTX_load_verify_locations SSL_CTX   ctx,
    char *    CAfile,
    char *    CApath
    ;
     

    Specifies the directories, filenames and location of trusted certificates. The SSL protocol implements server (and optionally client) authentication via a hierarchical X.509 certificate trust system. Certificate verification involves retrieving a trusted copy of the certificate(s) used to sign the certificate being verified.

    Parameters:
    ctx [In, Out] The SSL_CTX reference.
    CAfile [In] The Certification Authority (CA) file, containing one or more certificates in Privacy Enhanced Mail (PEM) format. This should be specified as the full path of the file.
    CApath [In] A list of directories in which to search for files containing PEM-encoded certificates. The filenames contain certificate hashes (one per file).
    Returns:
    1 indicates success.
    0 indicates error.
    note.gif
    These certificates are used to build the certificate chain for a server certificate, and by the in-built verification function when verifying a certificate chain from an SSL peer connection.
    If both CAfile and CApath are passed as NULL, an error is placed on the error stack and an error code is returned. If either CAfile or CApath are not NULL and generate an error while loading (that is, they do not exist or the file does not contain data) an error code is returned.

    CApath is semi-colon separated under a Windows operating system and colon separated under a UNIX operating system. If CApath is specified, the library searches for files with a filename based on the hash of the issuer name. For example, 12abcd.0. The verify utility verifies a given certificate.

    See also:
    SSL_CTX_set_default_verify_paths().

    void SSL_CTX_set_app_verify_cb SSL_CTX   ctx,
    SSL_CTX_APP_VERIFY_CB_T   cb,
    char *    arg
    ;
     

    Sets the application verification callback for the SSL_CTX ctx.

    Parameters:
    ctx [In] The SSL_CTX reference against which to set the default callback.
    cb [In] The verify callback.
    arg [In] The callback data.
    See also:
    SSL_CTX_get_app_verify_cb().
    Samples:
    nbio_client.c, and simple.c.

    void SSL_CTX_set_cert_store SSL_CTX   ctx,
    SSLCERT_STORE   store
    ;
     

    Specifies the SSLCERT_STORE store which stores all data required for verification of a certificate chain for the SSL_CTX ctx.

    Parameters:
    ctx [In, Out] The SSL_CTX reference that holds the X.509 store.
    store [In] The SSLCERT_STORE reference to bind against the SSL_CTX.
    See also:
    SSL_CTX_get_cert_store().

    void SSL_CTX_set_cert_verify_cb SSL_CTX   ctx,
    SSL_CTX_CERT_VERIFY_CB_T   cb,
    char *    arg
    ;
     

    Sets a user-defined certificate verification callback against the SSL_CTX. This callback has access to the complete X.509 API. It completely replaces the default internal verification routine.

    Parameters:
    ctx [In, Out] The SSL_CTX against which to set the callback.
    cb [In] A reference to the replacement verification callback.
    arg [In] A user-defined pointer argument.
    See also:
    SSL_CTX_CERT_VERIFY_CB_T.

    int SSL_CTX_set_default_verify_paths SSL_CTX   ctx ;
     

    Associates the pre-defined path and filenames for certificate verification with the SSL_CTX in a similar way to SSL_CTX_load_verify_locations(). Generally the client side verifies the certificate of any server to which it connects, thereby setting verification paths. Non-anonymous servers also set verification paths when requesting client certificates. All SSL connections generated from the SSL_CTX will use this data.

    Parameters:
    ctx [In, Out] The SSL_CTX reference.
    Returns:
    1 indicates success.
    <=0 indicates error.
    note.gif
    Errors are only generated if the function fails to find the internal lookup methods.
    Errors are not generated if there are no certificate files in the default directories. The default path is /usr/local/ss/certs and the default file is /usr/local/ssl/cert.pem.

    See also:
    SSL_CTX_load_verify_locations().

    void SSL_CTX_set_verify SSL_CTX   ctx,
    int    mode,
    SSL_VERIFY_CB_T   cb
    ;
     

    Sets a certificate verification callback against the SSL_CTX that extends the default internal verification. Then sets the mode for the verification of peer certificates. The verification mode applies to all SSL structures derived from the SSL_CTX passed to this function. See Verification Modes for valid values.

    Parameters:
    ctx [In] The SSL_CTX against which the callback and verification mode will be set.
    cb [In] The verification callback reference.
    mode [In] The new verification mode.
    See also:
    SSL_CTX_set_verify_cb() and SSL_CTX_set_verify_mode().

    void SSL_CTX_set_verify_cb SSL_CTX   ctx,
    SSL_VERIFY_CB_T   cb
    ;
     

    Sets a certificate verification callback against the SSL_CTX that extends the default internal verification.

    Parameters:
    ctx [In] The SSL_CTX against which the callback will be set.
    cb [In] The verification callback reference.

    void SSL_CTX_set_verify_depth SSL_CTX   ctx,
    int    depth
    ;
     

    Sets the verification depth for the SSL_CTX. This function is used to determine the maximum length of the certificate's chain set from the peer.

    Parameters:
    ctx [In, Out] The SSL_CTX reference where the depth is to be set.
    depth [In] The verification depth.

    void SSL_CTX_set_verify_mode SSL_CTX   ctx,
    int    mode
    ;
     

    Sets the mode for the verification of peer certificates. The verification mode applies to all SSL structures derived from the SSL_CTX passed to this function. See Verification Modes for valid values.

    Parameters:
    ctx [In] The SSL_CTX that holds the verification parameters.
    mode [In] The new verification mode.
    Samples:
    fips_client.c, nbio_client.c, and simple.c.

    SSL_VERIFY_CB_T* SSL_get_verify_cb SSL   s ;
     

    Returns the certificate verification callback set against the SSL.

    Parameters:
    s [In] The SSL reference where the callback is set.
    Returns:
    A reference to the callback if set.
    NULL indicates otherwise.

    int SSL_get_verify_depth SSL   s ;
     

    Returns the certificate verification depth and limits the number of certificates in a chain.

    Parameters:
    s [In] The SSL structure.
    Returns:
    -1 indicates the depth was not set.
    Otherwise indicates the depth.

    int SSL_get_verify_mode SSL   ssl ;
     

    Returns the certificate verification mode.

    Parameters:
    ssl [In] The SSL structure.
    Returns:
    The verify mode.
    See Verification Modes for valid values.

    long SSL_get_verify_result SSL   ssl ;
     

    Returns the result of the certificate verification function. This result is set inside the certificate verification callback.

    Parameters:
    ssl [In] The SSL structure.
    Returns:
    The certificate verification callback result.
    See Certificate Verification States for valid values.
    See also:
    SSL_set_verify_result().

    void SSL_set_verify SSL   ssl,
    int    mode,
    SSL_VERIFY_CB_T   cb
    ;
     

    Sets a certificate verification callback against the SSL_CTX that extends the default internal verification. Then sets the mode for the verification of peer certificates. The verification mode applies to all SSL structures derived from the SSL passed to this function. See Verification Modes for valid values.

    Parameters:
    ssl [In] The SSL against which the callback and verification mode will be set.
    cb [In] The verification callback reference.
    mode [In] The new verification mode.
    See also:
    SSL_set_verify_cb() and SSL_set_verify_mode().

    void SSL_set_verify_cb SSL   s,
    SSL_VERIFY_CB_T   cb
    ;
     

    Sets a certificate verification callback against the SSL_CTX that extends the default internal verification.

    Parameters:
    s [In] The SSL against which to set the callback.
    cb [In] The verification callback reference.

    void SSL_set_verify_depth SSL   s,
    int    depth
    ;
     

    Sets the verification depth for the SSL and determines the maximum number of certificates acceptable in a chain.

    Parameters:
    s [In, Out] The SSL structure.
    depth [In] The verification depth.

    void SSL_set_verify_mode SSL   s,
    int    mode
    ;
     

    Sets the verification mode for the SSL.

    Parameters:
    s [In, Out] The SSL on which to set the mode.
    mode [In] The new verification mode for the SSL.

    void SSL_set_verify_result SSL   ssl,
    long    arg
    ;
     

    Sets the result of the certificate verification callback.

    Parameters:
    ssl [In, Out] The SSL structure.
    arg [In] The verification result.
    See Certificate Verification States for valid values.

    int SSLCERT_check_private_key SSLCERT   cert,
    EVP_PKEY   pkey
    ;
     

    Checks that the passed private key pkey was used when signing the certificate cert.

    Parameters:
    cert [In] A reference to the certificate cert.
    pkey [In] A reference to the private key pkey.
    Returns:
    1 indicates that the private key pkey was used to sign the certificate cert.
    0 indicates the private key pkey did not sign the certificate cert.

    int SSLCERT_get_notAfter SSLCERT   cert,
    unsigned int *    type,
    unsigned char **    pp,
    long *    length
    ;
     

    Returns a reference to the string representation of the NotAfter field of the specified certificate. The format of the string is contained in type, the time data in pp and the length of the data in length. Certificates are not valid after the NotAfter date.

    Parameters:
    cert [In] The SSLCERT reference to the certificate cert.
    type [Out] The time type reference.
    pp [Out] The time data reference.
    length [Out] The time length reference.
    Returns:
    1 indicates success.
    0 indicates error.
    note.gif
    The returned type is a standard ASN.1 type. It is not necessary to allocate memory for pp as it will point to existing data.
    See also:
    SSLCERT_get_notBefore().
    Example:

    SSLCERT *cert;
unsigned int type;
unsigned char *data;
long len;
unsigned char *notAfter = NULL;
int asn1Encoding = 0;
int result=0,ret=0;
#ifndef SSLCME
R_TIME_T not_after;
#endif /* !SSLCME */

cert = SSLCERT_new();

/* Load certificate data, etc */

if (SSLCERT_get_notAfter(cert, &type, &data, &len))
{
    if ((notAfter = (unsigned char *)Malloc(len + 1)) == NULL)
    {
        printf("Unable to allocate memory for notAfter buffer\n");
    }

    if (Memcpy(notAfter, data, len) == NULL)
    {
        printf("Unable to copy notAfter time into memory buffer\n");
    }

    notAfter[len] = '\0';

    printf("Time asn1 string %s", notAfter);
    if (type == SSLCERT_ENCODING_ASN1_UTCTIME)
    {
        printf("UTC Time\n");
    }
    else
    {
        printf("Generalized Time\n");
    }

    asn1Encoding = type;
    ret = SSLCERT_compare_ASN1_time(asn1Encoding, &result,
                                     notAfter, now);
    if (ret == 1)
    {
        if (result == 1)
        {
            BIO_printf(bio_out, "Certificate notAfter date is Valid\n");
        }
        else
        {
            BIO_printf(bio_out, "Certificate is not valid.\n");
        }
    }
    else
    {
        BIO_printf(bio_err, "SSLCERT_compare_ASN1_time function failed\n");
    }

}
else
{
    printf("Failed to get the 'notAfter' date.\n");
}
    Samples:
    verify_cb.c.

    int SSLCERT_get_notBefore SSLCERT   cert,
    unsigned int *    type,
    unsigned char **    pp,
    long *    length
    ;
     

    Returns a reference to the string representation of the NotBefore field of the specified certificate. The format of the string is contained in type, the time data in pp and the length of the data in length. Certificates are not valid before the NotBefore date.

    Parameters:
    cert [In] The SSLCERT reference pointer.
    type [Out] The time type reference.
    pp [Out] The time data reference.
    length [Out] The time length reference.
    Returns:
    1 indicates success.
    0 indicates error.
    note.gif
    The returned type is a standard ASN.1 type. It is not necessary to allocate memory for pp as it will point to existing data.
    See also:
    SSLCERT_get_notAfter().
    Example:

    SSLCERT *cert;
unsigned int type;
unsigned char *data;
long len;
unsigned char *notBefore = NULL;
int asn1Encoding = 0;
int result=0,ret=0;
#ifndef SSLCME
R_TIME_T not_before;
#endif /* !SSLCME */

cert = SSLCERT_new();

/* Load certificate data, etc */

if (SSLCERT_get_notBefore(cert, &type, &data, &len))
{
    if ((notBefore = (unsigned char *)Malloc(len + 1)) == NULL)
    {
        printf("Unable to allocate memory for notBefore buffer\n");
    }

    if (Memcpy(notBefore, data, len) == NULL)
    {
        printf("Unable to copy notBefore time into memory buffer\n");
    }

    notBefore[len] = '\0';

    printf("Time asn1 string %s", notBefore);
    if (type == SSLCERT_ENCODING_ASN1_UTCTIME)
    {
        printf("UTC Time\n");
        asn1Encoding = SSLCERT_ENCODING_ASN1_UTCTIME;
    }
    else
    {
        printf("Generalized Time\n");
        asn1Encoding = SSLCERT_ENCODING_ASN1_GENERALIZEDTIME;
    }

    asn1Encoding = type;
    ret = SSLCERT_compare_ASN1_time(asn1Encoding, &result,
                                     notBefore, now);

    if (ret == 1)
    {
        if (result == -1)
        {
            BIO_printf(bio_out, "Certificate notBefore date is Valid\n");
        }
        else
        {
            BIO_printf(bio_out, "Certificate is not valid.\n");
        }
    }
    else
    {
        BIO_printf(bio_err, "SSLCERT_compare_ASN1_time function failed\n");
    }

}
else
{
    printf("Failed to get the 'notBefore' date.\n");
}
    Samples:
    verify_cb.c.

    int SSLCERT_SKI_keyid_cmp SSLCERT   cert1,
    SSLCERT   cert2
    ;
     

    Compares the Subject Key Identifier (SKI) key ids of the two specified SSLCERT structures cert1 and cert2.

    Parameters:
    cert1 [In] The SSLCERT reference to the first certificate whose SKI key id is being compared.
    cert2 [In] The SSLCERT reference to the second certificate whose SKI key id is being compared.
    Returns:
    <0 indicates that the SKI key id of certificate cert1 is less than the SKI key id of cert2.
    0 indicates that the SKI key id of certificate cert1 is equal to the SKI key id of certificate cert2.
    >0 indicates that the SKI key id from certificate cert1 is greater than the SKI key id from certificate cert2.
    See also:
    SSLCERT_get_SKI_keyid() and SSLCERT_keyid_cmp().

    int SSLCERT_subject_name_cmp SSLCERT   cert1,
    SSLCERT   cert2
    ;
     

    Compares the subject names of the two specified SSLCERT structures cert1 and cert2.

    Parameters:
    cert1 [In] The SSLCERT reference to the first certificate whose subject name is being compared.
    cert2 [In] The SSLCERT reference to the second certificate whose subject name is being compared.
    Returns:
    <0 indicates that the subject name of certificate cert1 is less than the subject name of cert2.
    0 indicates that the subject name of certificate cert1 is equal to the subject name of certificate cert2.
    >0 indicates that the subject name from certificate cert1 is greater than the subject name from certificate cert2.
    See also:
    SSLCERT_get_subject_name() and SSLCERT_NAME_cmp().
    Example:

    SSLCERT *cert1, *cert2;
int ret;

/* Allocate certificate structures */
cert1 = SSLCERT_new();
cert2 = SSLCERT_new();

/* Compare certificate subject names */
ret = SSLCERT_subject_name_cmp(cert1, cert2);
if (ret !=0)
{
    printf ("Certificate subject names differ\n");
}

    int SSLCERT_verify SSLCERT   cert,
    EVP_PKEY   pkey
    ;
     

    Verifies the SSLCERT certificate cert using the public key pkey.

    Parameters:
    cert [In] The SSLCERT reference to the certificate being verified.
    pkey [In] The EVP_PKEY reference to a public key whose private key mate may have been used to sign the certificate cert.
    Returns:
    1 indicates that the public key pkey signed the certificate cert.
    0 indicates that the public key pkey was not the key that signed the certificate cert.
    Example:

        SSLCERT *issuer;
    SSLCERT *cert;
    EVP_PKEY *public_key;

    /* Get a reference to the public key of the issuer certificate */
    public_key = SSLCERT_get_pubkey(issuer);

    if (public_key == NULL)
    {
        BIO_printf(bio_err, "Errors during SSLCERT_get_pubkey\n");
        goto err;
    }

    ret = SSLCERT_verify(cert, pubkey);

    if (ret == 1)
    {
        BIO_printf(bio_err, "Certificate has been verified\n");
    }
    else
    {
        BIO_printf(bio_err, "Errors during SSLCERT_verify\n");
    }
    Samples:
    verify_cb.c.

    int SSLCERT_verify_signature int    alg_id,
    unsigned char *    data,
    unsigned int    dlen,
    unsigned char *    signature,
    unsigned int    slen,
    EVP_PKEY   pubkey
    ;
     

    Verifies the signature value by generating a hash of the data and comparing it with the hash retrieved from the signature data using the public key.

    Parameters:
    alg_id [In] The signature algorithm.
    data [In] The body data against which to verify the signature.
    dlen [In] The body length of the data.
    signature [In] The signature value.
    slen [In] The signature value length.
    pubkey [In] The public key of the signing authority.
    Returns:
    1 indicates success.
    0 indicates error.

    Copyright (c) 1999-2004 RSA Security Inc. All rights reserved. 050-001001-2600-000-000 - 2.6