Sunday, April 17, 2011

[Ruby] OpenSSL verify certificate from own CA

Hello all and thanks for your time reading this.

I need to verify certificates issued by my own CA, for which I have a certificate. How can I do the equivalent to openssl's

openssl verify -CAfile

in Ruby code? The RDoc for OpenSSL is not very helpful in this regard. I've tried:

require 'openssl'

ca = OpenSSL::X509::Certificate.new(File.read('ca-cert.pem'))

lic = OpenSSL::X509::Certificate.new(File.read('cert.pem'))

puts lic.verify( ca )

but I get:

test.rb:7:in `verify': wrong argument (OpenSSL::X509::Certificate)!
(Expected kind of OpenSSL::PKey::PKey) (TypeError)
  from test.rb:7

I can't even find "verify" in the OpenSSL Rdoc at http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/index.html.

Any help is appreciated. Thanks again!

From stackoverflow

  • You need to validate with

    lic.verify(ca.public_key)

    in addition before that you can verify certificate issuer with

    lic.issuer.to_s == ca.subject.to_s

    I used one Japanese help page to get the list of available methods :)

  • I've tried your suggestion, and it still fails to verify:

    require 'openssl'

ca = OpenSSL::X509::Certificate.new(File.read('ca.pem'))

lic = OpenSSL::X509::Certificate.new(File.read('lic.pem'))

puts lic.verify( ca.public_key )
puts lic.issuer.to_s == ca.subject.to_s

    The output is

    false
false

    The same files with " openssl verify -CAfile ca.pem lic.pem" :

    lic.pem: OK

    Any other suggestions?

    Raimonds Simanovskis : Hmm, I tried with my examples and it worked OK. Probably ruby SSL library doesn't recognize your certificate crypto algorythms. Or maybe your Ruby is compiled with old SSL libraries. Can you show what output you get from lic.issuer and ca.subject?
    Raimonds Simanovskis : Maybe you can share some test certificates to me? Then I could try to validate them using my Ruby installation.

  • lic.verify() only verify the key from the certificate that signed lic. Ccommercial root CAs do not sign end user certificates directly. Usually there is one or 2 intermediate signing certificates involved.

    So if CA -> signer -> user cert then

    lic.verify( signer.public_key) and signer.verify( CA.public_key) will return true but lic.verify( CA.public_key ) will return false.

Posted by Ku XI at 4:04 AM

0 comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)