Menu

#8 tls::verify

open
nobody
None
5
2006-11-08
2006-11-08
Peter Hall
No

need a way to verify a certificate is valid before attempting to use it over
an ssl/tls connection.

added tls::verify ?-cadir? ?-cafile? -certfile

returns
"OK" if the certificate is good to use
"BAD" if there's something wrong with the certificate.

example
tls::verify -cafile c:/im/certs/CAlwc.crt -certfile c:/im/certs/lwc.crt

tls::verify -cadir /demoCA/newcerts -certfile /demoCA/cacert.pem

Discussion

  • Peter Hall

    Peter Hall - 2006-11-08

    tls.c

     
    tls.diff

  • Peter Hall

    Peter Hall - 2006-11-08

    tlsInt.h

     
    tlsInt.diff

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-06-25
     
    tls-verify.diff

  • Jeffrey Hobbs

    Jeffrey Hobbs - 2007-06-25

    Logged In: YES
    user_id=72656
    Originator: NO

    I have updated the code, but I can't get it to actually verify any certs, so I wonder if something is either wrong with what I'm testing, or the code itself. Attached is an updated diff.

    Why was tlsInt.h modified? I didn't require those headers.

    Also, what is the point of the OpenSSL_add_all_algorithms() call?
    File Added: tls-verify.diff

     

  • Pat Thoyts

    Pat Thoyts - 2007-09-07

    Logged In: YES
    user_id=202636
    Originator: NO

    For some reason this only seems to validate if the certificates are in the current directory.
    (win) 203 % tls::verify -cafile ~/Certificates/CAcert/cacert_class1.crt -certfile ~/Certificates/CAcert/cacert_class3.crt
    0
    (win) 204 % tls::verify -cafile ~/Certificates/CAcert/cacert_class1.crt -certfile ~/Certificates/patthoyts.crt
    0
    (win) 205 % tls::verify -cafile cacert_class1.crt -certfile cacert_class3.crt
    1
    (win) 206 % tls::verify -cafile cacert_class1.crt -certfile patthoyts.crt
    0

    OpenSSL has the following to say about these certificates:

    C:\opt\tcl\src\tls\win>openssl verify -CAfile cacert_class1.crt cacert_class3.crt
    cacert_class3.crt: OK

    C:\opt\tcl\src\tls\win>openssl verify -CAfile cacert_class1.crt patthoyts.crt
    patthoyts.crt: /C=GB/ST=England/L=Bristol/O=Pat Thoyts/OU=Software Signing/CN=Pat Thoyts/emailAddress=patthoyts@users.sourceforge.net
    error 20 at 0 depth lookup:unable to get local issuer certificate

    and openssl itself as no trouble using a directory path

     

  • Victor Wagner

    Victor Wagner - 2008-10-17

    I think that it is better to use already existing Tcl_BIO api to read certificates. It would solve all problems with using certificates on VFS. But it would make verify command incompatible with import command - no guarantee that certificate which was successfully verified, can be used by ::tls::import, which uses internal OpenSSL function to open files.

    So, I suggest the best way to pass certificates around - is to load them into Tcl variables. Certificate in PEM format is relatively short (no more than couple of kilobytes) ASCII string, and should be treated as such.

    More interesting thing is private keys. Private keys can be stored on hardware token, and never be extractable from here. One just pass around reference to particular key on token, and delegate actual cryptographic operations to engine module, which knows how to do them on token.

    Btw, if we are to verify certificate before use, it is also good idea to check if we really have private key for this certificate.

    Also, there is no need to use separate verification callback for verify function.
    There is already pretty good VerifyCallback, function which is able to call tcl scripts.
    So, just use it.

     
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.