(:description This sample show how to use X509_verify_cert to check if a certificate is selfsigned :)

	sk_X509_pop_free(trusted, X509_free);
	if (ctx != NULL) X509_STORE_free(ctx);

(:keywords openssl, X509_verify_cert,X509_STORE_set_verify_cb_func:)

Test si un certificat est autosigné

(:source lang=C :)

1. include <stdio.h>
2. include <tchar.h>
3. include <string.h>
4. include <openssl/bio.h>
5. include <openssl/asn1.h>
6. include <openssl/err.h>
7. include <openssl/bn.h>
8. include <openssl/evp.h>
9. include <openssl/x509.h>
10. include <openssl/x509v3.h>
11. include <openssl/objects.h>
12. include <openssl/pem.h>
13. include <openssl/rsa.h>

BIO *bio_out;

static int vflags = 0;

static STACK_OF(X509) *load_stack(char *certfile) {

	STACK_OF(X509_INFO) *sk=NULL;
	STACK_OF(X509) *stack=NULL, *ret=NULL;
	BIO *in=NULL;
	X509_INFO *xi;

	if(!(stack = sk_X509_new_null())) {
		BIO_printf(bio_out,"memory allocation failure\n");
		goto end;
	}

	if(!(in=BIO_new_file(certfile, "r"))) {
		BIO_printf(bio_out,"error opening the file, %s\n",certfile);
		goto end;
	}

	/* This loads from a file, a stack of x509/crl/pkey sets */
	if(!(sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL))) {
		BIO_printf(bio_out,"error reading the file, %s\n",certfile);
		goto end;
	}

	/* scan over it and pull out the certs */
	while (sk_X509_INFO_num(sk))
		{
		xi=sk_X509_INFO_shift(sk);
		if (xi->x509 != NULL)
			{
			sk_X509_push(stack,xi->x509);
			xi->x509=NULL;
			}
		X509_INFO_free(xi);
		}
	if(!sk_X509_num(stack)) {
		BIO_printf(bio_out,"no certificates in file, %s\n",certfile);
		sk_X509_free(stack);
		goto end;
	}
	ret=stack;

end:

	BIO_free(in);
	sk_X509_INFO_free(sk);
	return(ret);
	}

static int verify_cb(int ok, X509_STORE_CTX *ctx) {

	char buf[256];
	if (!ok){

		if (ctx->error_depth >0) return(1);

		if (ctx->current_cert){
			X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,sizeof buf);
			BIO_printf(bio_out,"%s\n",buf);
		}

		BIO_printf(bio_out,"error d depth lookup:%s\n",ctx->error,ctx->error_depth,X509_verify_cert_error_string(ctx->error));
	}

	return(ok);

}

X509* load_cert_file(char *cert) {

	X509 *x=NULL;
	int ret=1;
	BIO *in=NULL;
	in=BIO_new(BIO_s_file());
	if(BIO_read_filename(in,cert)<=0){
		printf("%s@s\n",__FILE__,__LINE__,cert);
		goto end;
	}

	x=PEM_read_bio_X509(in,NULL,0,NULL);
	if (x == NULL){
		printf("%s@%i unable to open certificate\n",__FILE__,__LINE__);
		goto end;
	}

end:

	BIO_free(in);
	return(x);

}

int main(int argc, char* argv[]) {

	BIO *bio_crt=NULL,*bio_key=NULL;
	//char crtfile[]="cert1.crt";
	//char crtfile[]="cert2.crt";
	char crtfile[]="cert3.crt";

	X509_STORE *ctx=NULL;
	X509_STORE_CTX *csc;
	X509 *x=NULL;
	STACK_OF(X509) *trusted=NULL;
	int i;


	OpenSSL_add_all_digests();
	OpenSSL_add_all_algorithms();
	ERR_load_crypto_strings();

	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);


	x=load_cert_file(crtfile);
	if(x==NULL){
		goto end;
	}

	ctx=X509_STORE_new();
	if (ctx == NULL){
		goto end;
	}
	//X509_STORE_set_verify_cb_func(ctx,verify_cb);

	csc = X509_STORE_CTX_new();
	if (csc == NULL){
		ERR_print_errors(bio_out);
		goto end;
	}
	X509_STORE_set_flags(ctx, 0);
	if(!X509_STORE_CTX_init(csc,ctx,x,NULL)){
		ERR_print_errors(bio_out);
		goto end;
	}		

	trusted = load_stack(crtfile);


	X509_STORE_CTX_trusted_stack(csc, trusted);
	i=X509_verify_cert(csc);

	if(i<0){
		ERR_print_errors(bio_out);
	}else if (i){
		BIO_printf(bio_out,"%s is self signed\n",crtfile);
	}else{
		BIO_printf(bio_out,"%s is not self signed\n",crtfile);
	}

	X509_STORE_CTX_free(csc);

end:

	X509_free(x);
	return 0;

}

(:sourcend:)