tags:

views:

2275

answers:

3
+4  Q: 

[Ruby] OpenSSL verify certificate from own CA

Hello all and thanks for your time reading this.

I need to verify certificates issued by my own CA, for which I have a certificate. How can I do the equivalent to openssl's

openssl verify -CAfile

in Ruby code? The RDoc for OpenSSL is not very helpful in this regard. I've tried:

require 'openssl'

ca = OpenSSL::X509::Certificate.new(File.read('ca-cert.pem'))

lic = OpenSSL::X509::Certificate.new(File.read('cert.pem'))

puts lic.verify( ca )

but I get:

test.rb:7:in `verify': wrong argument (OpenSSL::X509::Certificate)!
(Expected kind of OpenSSL::PKey::PKey) (TypeError)
  from test.rb:7

I can't even find "verify" in the OpenSSL Rdoc at http://www.ruby-doc.org/stdlib/libdoc/openssl/rdoc/index.html.

Any help is appreciated. Thanks again!

+4  A: 

You need to validate with

lic.verify(ca.public_key)

in addition before that you can verify certificate issuer with

lic.issuer.to_s == ca.subject.to_s

I used one Japanese help page to get the list of available methods :)

Raimonds Simanovskis  2009-03-31 21:11:02
A: 

I've tried your suggestion, and it still fails to verify:

require 'openssl'

ca = OpenSSL::X509::Certificate.new(File.read('ca.pem'))

lic = OpenSSL::X509::Certificate.new(File.read('lic.pem'))

puts lic.verify( ca.public_key )
puts lic.issuer.to_s == ca.subject.to_s

The output is

false
false

The same files with " openssl verify -CAfile ca.pem lic.pem" :

lic.pem: OK

Any other suggestions?

sardaukar  2009-04-01 08:57:24
Hmm, I tried with my examples and it worked OK. Probably ruby SSL library doesn't recognize your certificate crypto algorythms. Or maybe your Ruby is compiled with old SSL libraries.Can you show what output you get from lic.issuer and ca.subject?
Raimonds Simanovskis  2009-04-01 16:49:05
Maybe you can share some test certificates to me? Then I could try to validate them using my Ruby installation.
Raimonds Simanovskis  2009-04-01 16:52:37
A: 

lic.verify() only verify the key from the certificate that signed lic. Ccommercial root CAs do not sign end user certificates directly. Usually there is one or 2 intermediate signing certificates involved.

So if CA -> signer -> user cert then

lic.verify( signer.public_key) and signer.verify( CA.public_key) will return true but lic.verify( CA.public_key ) will return false.

 2010-05-10 13:40:04

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?