kisom/libsslcv


C library for validating client OpenSSL certificates.

http://www.tyrfingr.is/projects/sslcv/

Language: C


sslcv: library for validating client certificates INTRODUCTION ------------ This library provides validation of client certificates against a root certificate. The library expects a certificate of type `X509 *` and a path to a root certificate as a `const char *`. A utility function for loading a certificate from a file is also provided. This library is mostly intended as an introduction to validating certificates using the OpenSSL C API, as I found much of the code and documentation on the internet lacking. This was put together after a night of hacking; the documentation took me a couple days to work through. LICENSE ------- This code is licensed under an ISC / public domain dual license. AUTHOR ------ sslcv was written by Kyle Isom . DEPENDENCIES ------------ You need the OpenSSL library and headers installed. The code also uses the Plan 9 mk(1) system, which is available from the Plan 9 From User Space[1] package; although a standard BSD Makefile is included for convenience, it gets less attention than the mkfile. INSTALLING ---------- For all users: sudo mk install or sudo make install For the current user: mk install PREFIX=${HOME} or PREFIX=${HOME} make install An uninstall target is provided as well that is used the same way as the install target. THE TEST PROGRAM ---------------- A reference implementation has been provided in `main.c`; it can be built with `mk ref`. The reference implementation builds a binary named `sslcv`. See the `-h` flag for usage information: usage: sslcv [-c ca_certificate]+ [client_certificate]+ validate a list of client certificates using a list of CA certificates. note: sslcv expects certificates in PEM format. For example: $ ./sslcv -c certs/testca2/testca2-cacert.pem \ -c certs/testca/testca-cacert.pem \ certs/testca2/testclient-cert.pem \ certs/testca/testclient-cert.pem [+] added root certificate: certs/testca2/testca2-cacert.pem [+] added root certificate: certs/testca/testca-cacert.pem ================================================ = client certificate: certs/testca2/testclient-cert.pem ------------------------------------------------ [+] validating certs/testca2/testclient-cert.pem with certs/testca2/testca2-cacert.pem [+] certificate is valid. ================================================ = client certificate: certs/testca/testclient-cert.pem ------------------------------------------------ [+] validating certs/testca2/testclient-cert.pem with certs/testca2/testca2-cacert.pem [!] invalid certificate ------------------------------------------------ [+] validating certs/testca2/testclient-cert.pem with certs/testca/testca-cacert.pem [+] certificate is valid. [+] finished validation. The CA certificates are loaded in the order specified: CA #2 is tried before CA #1. The client certificates are checked in order against each CA, breaking where a match is found. As expected, the first client certificate in the list, client #2, immediately validates whereas the second client certificate, client #1, fails against CA #2 and is tried against CA #1 where it is validated. TEST CERTIFICATES ----------------- A pair of test certificate authorities were set up; the certificates are provided under the `certs` directory. The files provided are: certs/ | |-testca/ /* certficates from CA #1 */ | | | |- testca-cacert.pem /* CA #1 bundle - the signing key */ | |- testclient-cert.pem /* client certificate signed by CA #1 */ | |- testserver-cert.pem /* server certificate signed by CA #1 */ | . | |-testca2/ /* certficates from CA #2 */ | | | |- testca2-cacert.pem /* CA #2 bundle - the signing key */ | |- testclient-cert.pem /* client certificate signed by CA #2 */ | |- testserver-cert.pem /* server certificate signed by CA #2 */ | . |- google.pem /* Google's web search certificate */ |- thawte.pem /* Thawte SGC and Verisign CA bundle */ . For a real world example, I've also provided Thawte's CA certificate bundle (includes the Thawte Consulting (Pty) Ltd SGC certificate and the Verisign Class 3 Public Primary Certification Authority certif- icate) as well as the certificate for www.google.com as exported from Firefox. WEB PAGES --------- The latest source is available from the project's tyrfingr page[2] or its bitbucket repository[3]. CODE AUDIT ---------- Both Makefile and mkfile contain `audit` targets. The `audit` target runs all source files through flawfinder(1), rats(1), and clang's static analyzer. Therefore, in order to make use of this target, you shold have rats[3], flawfinder[4], and clang[5] installed. REFERENCES ---------- [1] http://swtch.com/plan9port [2] http://www.tyrfingr.is/projects/libsslcv/ [3] https://www.bitbucket.org/kisom/libsslcv/ [4] https://code.google.com/p/rough-auditing-tool-for-security/ [5] http://www.dwheeler.com/flawfinder/ [6] http://clang-analyzer.llvm.org/

Project Statistics

Sourcerank 3
Repository Size 34.2 KB
Forks 0
Watchers 1
Dependencies 0
Tags 1
Created
Last updated

Recent Tags See all

tip September 28, 2012

Something wrong with this page? Make a suggestion

Last synced: 2017-02-25 07:23:45 UTC

Login to resync this repository