Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

NET::SSLeay to verify certificates?

by LoraIlieva (Acolyte)
on Nov 17, 2016 at 10:42 UTC ( #1176049=perlquestion: print w/replies, xml ) Need Help??

LoraIlieva has asked for the wisdom of the Perl Monks concerning the following question:

Hi! I have the same task to do and the same problem. I am trying to verify ssl sertificate using Net::SSLeay.

As input I have certificate in PEM format and path to the directory with root and intermediate certificates. I read about doing the verification in C (https://www.ibm.com/developerworks/library/l-openssl/), but I can't find equivalents of called C functions. This is what I did: 

my $s_cert_filename = '/path/to/cert/mycert.pem';
my $s_chain_dir = '/path/to/root_and_itermediate/certs/';

#Initialization, because I read about it in cpan
my $rv = Net::SSLeay::library_init(); 
if($rv != 1) {die 'library init'};
Net::SSLeay::load_error_strings();
Net::SSLeay::SSLeay_add_ssl_algorithms();

#Create $ctx object
my $ctx = Net::SSLeay::CTX_new or die;

#Set where are root and intermediate certs
Net::SSLeay::CTX_load_verify_locations($ctx, '', $s_chain_dir)  
or die_now("CTX load verify loc=`$s_chain_dir' $!");

#Set where is the certificate to be checked
$rv = Net::SSLeay::CTX_use_certificate_file($ctx, $s_filename, 
&Net::SSLeay::FILETYPE_PEM);
if($rv != 1) {die 'CTX_use_certificate_file'}

#Create $ssl object from $ctx object
my $ssl = Net::SSLeay::new($ctx);

#Try to get verification result
$rv = Net::SSLeay::get_verify_result($ssl);
    
print $rv;

[download]

Result is always '0' which means this is valid certificate. The problem is that I tried with both – valid and invalid certificate, and the result is always '0'.

Net::SSLeay::CTX_free($ctx);

Also I read that it's not verifying the certificate, but something called x509_store, so I found other example in C (http://stackoverflow.com/questions/2756553/x509-certificate-verification-in-c). I tryed to translate it to perl:

my $s_cert_filename = '/path/to/cert/mycert.pem';
    
my $s_chain_dir = '/path/to/root_and_itermediate/certs/';

#Initialization
my $rv = Net::SSLeay::library_init(); 
 if($rv != 1) {die 'library init'};
Net::SSLeay::ERR_load_SSL_strings();
Net::SSLeay::SSLeay_add_ssl_algorithms();

#Create $ctx object
my $ctx = Net::SSLeay::CTX_new() or
 die_now("Failed to create SSL_CTX $!");

#Set where are root and intermediate certs
Net::SSLeay::CTX_load_verify_locations($ctx, '', $s_chain_dir)  or
 die_now("CTX load verify loc=`$s_chain_dir' $!");

#Create $ssl object from $ctx object
my $ssl = Net::SSLeay::new($ctx);

#Set where is the certificate to be checked

$rv = Net::SSLeay::use_certificate_file($ssl, $s_filename,
 &Net::SSLeay::FILETYPE_PEM);

#get x509_store    and set flag – to check crl
my $x509_store = Net::SSLeay::CTX_get_cert_store($ssl);
    
Net::SSLeay::X509_STORE_set_flags($ctx, 
&Net::SSLeay::X509_V_FLAG_CRL_CHECK);

#Try to get verification result
$rv = Net::SSLeay::get_verify_result($ssl);
print $rv;

[download]

Result is the same – always '0'.

Net::SSLeay::CTX_free($ctx);

[download]

I think the problem is somewhere in the usage of those strange data structures and 'get_verify_result' returns '0' to show me that there is an error. I don't know what I am doing wrong. Could someone help me?

Replies are listed 'Best First'.
Re: NET::SSLeay to verify certificates?
by rdfield (Priest) on Oct 04, 2018 at 13:54 UTC
    Not really a proper Perl solution, but I couldn't find out how to make the low level routines in Net::SSLeay work (the documentation states that the certificate verification code isn't well tested). Anyway, here's an Inline C bit of code that works on Debian Stretch: 
    use strict;
use warnings;

use Inline Config =>
           force_build => 0,
           clean_after_build => 1;
use Inline C => 'DATA';
use Inline C => Config =>
                DIRECTORY => "/tmp" =>
                enable => 'UNTAINT' =>
                inc => '-I/usr/include' =>
                libs => ' -lssl -lcrypto ';

my $CAfile = "cacert.pem";
my $Cert = "good.crt";
my $Cert2 = "selfsigned.crt";
print "cert1 = " . verify_cert($CAfile, $Cert) . "\n";
print "cert2 = " . verify_cert($CAfile, $Cert2) . "\n";

__DATA__
__C__

#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/x509_vfy.h>

char *verify_cert(char *ca_bundlestr, char *cert_filestr) {


  BIO              *certbio = NULL;
  BIO               *outbio = NULL;
  X509          *error_cert = NULL;
  X509                *cert = NULL;
  X509_NAME    *certsubject = NULL;
  X509_STORE         *store = NULL;
  X509_STORE_CTX  *vrfy_ctx = NULL;

  int ret;
  char *retmsg;

  OpenSSL_add_all_algorithms();
  ERR_load_BIO_strings();
  ERR_load_crypto_strings();

  certbio = BIO_new(BIO_s_file());

  if (!(store=X509_STORE_new())) {
     size_t needed = snprintf(NULL, 0, "Error creating X509_STORE_CTX 
+object") + 1;
     retmsg = malloc(needed);
     snprintf(retmsg, needed, "Error creating X509_STORE_CTX object");
     goto done;
  }

  vrfy_ctx = X509_STORE_CTX_new();

  ret = BIO_read_filename(certbio, cert_filestr);
  if (! (cert = PEM_read_bio_X509(certbio, NULL, 0, NULL))) {
     size_t needed = snprintf(NULL, 0, "Error loading cert into memory
+") + 1;
     retmsg = malloc(needed);
     snprintf(retmsg, needed, "Error loading cert into memory");
     goto done;
  }

  ret = X509_STORE_load_locations(store, ca_bundlestr, NULL);
  if (ret != 1) {
     size_t needed = snprintf(NULL, 0, "Error loading CA cert or chain
+ file") + 1;
     retmsg = malloc(needed);
     snprintf(retmsg, needed, "Error loading CA cert or chain file");
     goto done;
  }
  X509_STORE_CTX_init(vrfy_ctx, store, cert, NULL);

  ret = X509_verify_cert(vrfy_ctx);

  if( ret == 0 ) {
     size_t needed = snprintf(NULL, 0, "Error %s", X509_verify_cert_er
+ror_string(X509_STORE_CTX_get_error (vrfy_ctx))) + 1;
     retmsg = malloc(needed);
     snprintf(retmsg, needed, "Error %s", X509_verify_cert_error_strin
+g(X509_STORE_CTX_get_error (vrfy_ctx)));
  } else {
     size_t needed = snprintf(NULL, 0, "OK") + 1;
     retmsg = malloc(needed);
     snprintf(retmsg, needed, "OK");
  }
done:
  X509_STORE_CTX_free(vrfy_ctx);
  X509_STORE_free(store);
  X509_free(cert);
  BIO_free_all(certbio);
  return( retmsg );
}

    [download]
    running it: 
    $ perl verify_certs.pl
cert1 = OK
cert2 = Error self signed certificate

    [download]
    (code is based on this source: original C code )

    rdfield

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://1176049]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (3)
As of 2023-05-31 22:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found
    Notices?