Ok, let me begin.
As others mentioned, you can use openssl verify
. According to the documentation, it checks the validity period too.
Programmatically, it means hours of searching for kinda bad (or missing) documentation, reading code examples all over the web, and maybe a headache.
In short, to validate if a certificate is signed by the CA, issuer, or someone's else certificate, you need to inform all the intermediary certificates, plus the revocation list (CRL), if you need it. To keep this answer short, let's assume the certificate was issued and signed by the CA.
Now, here is what you really need to do in terms of code (openssl):
X509_STORE_new
- Create a certificate store;
X509_STORE_CTX_new
- Create a store context;
X509_STORE_add_cert
- Add the CA (and all intermediary) certificate(s) to the trusted list of your certificate store (note: there's a function to lookup/load a list);
X509_STORE_add_crl
- Add the revoked certificates to the CRL of your certificate store (note: same as above);
X509_STORE_CTX_init
- Initialize your store context informing your certificate store;
X509_STORE_CTX_set_purpose
- Define the purpose if you need so;
X509_STORE_CTX_set_cert
- Tell the context which certificate you're going to validate;
X509_verify_cert
- Finally, validate it;
X509_STORE_CTX_cleanup
- If you want to reuse the context to validate another certificate, you clean it up and jump back to (5);
- Last but not least, deallocate (1) and (2);
I hope this helps many people, because I needed it recently, and took me a day of searching/reading/testing :-)
Okay, I assume. After I finished my code, I figured out everything I needed was right on the OpenSSL source-code. If you need an example, go straight to openssl-xxx/apps/verify.c.