Decoding X509 certificate files via OpenSSL

Source: Internet
Author: User

Under the Windows platform, if you want to parse a X509 certificate file, the most straightforward way is to use Microsoft's CryptoAPI. But under the non-Windows platform, you can only use the powerful open source cross-platform library OpenSSL. After a X509 certificate is decoded by OpenSSL, a struct pointer of the X509 type is obtained. Through this structure, we can obtain the desired certificate entries and attributes, and so on.

The X509 certificate file, depending on the package, has the following three main types:

*.cer: A single X509 certificate file, no private key, can be in binary and Base64 format. This type of certificate is most common;

A certificate chain file in the *.p7b:pkcs#7 format that contains one or more X509 certificates, without the private key. Typically, when requesting an RSA certificate from the CA Center, the signed certificate that is returned is the certificate file in the P7B format;

The certificate file in the *.PFX:PKCS#12 format can contain one or more X509 certificates, which contain the private key and are generally password protected. When an RSA certificate is typically requested from the CA center, the encryption certificate and the RSA encryption private key are returned as a file in PFX format.

Below, for these three types of certificate files, using OpenSSL to decode, get the corresponding X509 struct pointer. Note that the contents of the certificate file in the sample code refer to binary data, and if the certificate file itself uses the BASE64 format, after reading from the file, the contents of the BASE64 format need to be converted to binary data before the following decoding function can be used.

First, decode CER certificate file

The file in the CER format is the simplest and only needs to invoke API d2i_x509 (). The sample code is as follows (Lpcertdata is the binary data):

m_px509 = d2i_x509 (null, (unsigned char const * *) &lpcertdata, Uldatalen); if (m_px509 = = NULL) {return cert_err_failed; }


Second, decode the P7B certificate file

Because P7B is a certificate chain file, you can theoretically include multiple X509 certificates. But in real-world applications, it often contains only one file, so we only process the first certificate. The sample code is as follows:

int RV = 0;int nid = 0; pkcs7* P7 = NULL; Stack_of (X509) *certs = NULL; bio* bio = Bio_new (Bio_s_mem ());//decode p7b Content RV = bio_write (bio, Lpcertdata, uldatalen);p 7 = D2i_pkcs7_bio (bio, NULL); Bio_free (bio);//Get P7 specific format nid = Obj_obj2nid (P7->type); if (nid = = nid_pkcs7_signed) {<span style= "White-space:pre "></span>certs = P7->d.sign->cert;} else if (nid = = nid_pkcs7_signedandenveloped) {<span style= "white-space:pre" ></span>certs = p7-> D.signed_and_enveloped->cert;} p7bm_px509 = Sk_x509_value (certs, 0) only supported for single certificates, if (m_px509 = = NULL) {<span style= "White-space:pre" ></span> return cert_err_failed;}
if, in a special case, you need to process all the certificates in the entire certificate chain, you only need to loop call Sk_x509_value () until you know that the return is null.


Third, decode PFX certificate file

When you decode a PFX certificate, you are actually getting a series of objects for the X509 certificate, private key data, and CA certificate chain, and you need to verify the password for the PFX. The sample code is as follows:

int RV = 0; PKCS12 *p12 = NULL; Evp_pkey *pkey = NULL; Stack_of (X509) *ca = NULL; BIO *bio; Decode P12 Content BIO = Bio_new (Bio_s_mem ()), RV = Bio_write (bio, Lpcertdata, uldatalen);p = D2i_pkcs12_bio (bio, NULL); Bio_free_all (bio); Get the Certificate Object RV = Pkcs12_parse (P12, Lpscpassword, &pkey, &m_px509, &CA); if (!rv | |!m_px509) {RV = cert_err_failed; Goto Free_memory;} Release Memory Free_memory:pkcs12_free (P12); Evp_pkey_free (PKEY); Sk_x509_free (CA);

At this point, the decoding of three common certificate files to complete, through the decoded certificate context structure pointer m_px509, the pointer can be used to resolve the certificate and extended properties. The specific analytic method, will be introduced in the following blog.

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Decode the X509 certificate file through OpenSSL

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.