views:

2275

answers:

3

Hello all and thanks for your time reading this.

I need to verify certificates issued by my own CA, for which I have a certificate. How can I do the equivalent to openssl's

openssl verify -CAfile

in Ruby code? The RDoc for OpenSSL is not very helpful in this regard. I've tried:

require 'openssl'

ca = OpenSSL::X509::Certificate.new(File.read('ca-cert.pem'))

lic = OpenSSL::X509::Certificate.new(File.read('cert.pem'))

puts lic.verify( ca )

but I get:

test.rb:7:in `verify': wrong argument (OpenSSL::X509::Certificate)!
(Expected kind of OpenSSL::PKey::PKey) (TypeError)
  from test.rb:7

I can't even find "verify" in the OpenSSL Rdoc at http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/index.html.

Any help is appreciated. Thanks again!

+4  A: 

You need to validate with

lic.verify(ca.public_key)

in addition before that you can verify certificate issuer with

lic.issuer.to_s == ca.subject.to_s

I used one Japanese help page to get the list of available methods :)

Raimonds Simanovskis
A: 

I've tried your suggestion, and it still fails to verify:

require 'openssl'

ca = OpenSSL::X509::Certificate.new(File.read('ca.pem'))

lic = OpenSSL::X509::Certificate.new(File.read('lic.pem'))

puts lic.verify( ca.public_key )
puts lic.issuer.to_s == ca.subject.to_s

The output is

false
false

The same files with " openssl verify -CAfile ca.pem lic.pem" :

lic.pem: OK

Any other suggestions?

sardaukar
Hmm, I tried with my examples and it worked OK. Probably ruby SSL library doesn't recognize your certificate crypto algorythms. Or maybe your Ruby is compiled with old SSL libraries.Can you show what output you get from lic.issuer and ca.subject?
Raimonds Simanovskis
Maybe you can share some test certificates to me? Then I could try to validate them using my Ruby installation.
Raimonds Simanovskis
A: 

lic.verify() only verify the key from the certificate that signed lic. Ccommercial root CAs do not sign end user certificates directly. Usually there is one or 2 intermediate signing certificates involved.

So if CA -> signer -> user cert then

lic.verify( signer.public_key) and signer.verify( CA.public_key) will return true but lic.verify( CA.public_key ) will return false.