Cryptography Reference
In-Depth Information
{
fprintf( stderr, “Unable to decode signature value.\n” );
return valid;
}
if ( asn1parse( pkcs7_signature_decrypted, pkcs7_signature_len,
&pkcs7_signature ) )
{
fprintf( stderr, “Unable to parse signature\n” );
return valid;
}
hash_value = pkcs7_signature.children->next;
if ( memcmp( hash_value->data, certificate->hash, certificate->hash_len ) )
{
valid = 0;
}
else
{
valid = 1;
}
asn1free( &pkcs7_signature );
return valid;
}
Verifying a Self-Signed Certifi cate
How to map issuers to public keys is outside the scope of the implementation;
browsers ship with a (long) list of trusted root CAs and their known public
keys, which are compared to the issuer each time a certifi cate is received. To
illustrate the concept, though, you can go ahead and write code to verify a self-
signed certifi cate in Listing 5-27, such as those that are distributed by the CAs
to the browsers to begin with. Like the ASN.1 test routine, this routine expects
a DER- or PEM-encoded certifi cate fi le and outputs the contents of the fi le. This
time, though, it does a lot more interpretation and actually produces useful,
meaningful content.
Listing 5-27:
“x509.c” main routine
#ifdef TEST_X509
int main( int argc, char *argv[ ] )
{
int certificate_file;
struct stat certificate_file_stat;
char *buffer, *bufptr;
int buffer_size;
int bytes_read;
(Continued)
Search WWH ::
Custom Search