How to verify digital certificate by CA's public key

Question

I am studying the digital certificates in PKI ( Public Key Infrastructure ). Almost all manuals / pages regarding this give following similar steps.

1. Get subject identity + subject public key, (AND/OR Encrypted Message hash with subject's private key) and build a certificate.
2. Sign certificate with CA's private key
3. At destination, verify certificate with CA's public key

Now I am able to find way in php (using openssl lib) to for 1st and 2nd step which can generate a certificate and sign it ( optionally generate a signature hash and sign it too ) through openssl APIs.

But Issue with third step, Their are no guide line or function call which show how to verify certificate with CA's public key.

If I am missing something ?

Example code I checking is like below

$data = 'my data';

//create new private and public key
$req_key = openssl_pkey_new(array(
    "private_key_bits" => 2048,
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
));

$dn = array(
                "countryName"            => "IN",
                "stateOrProvinceName"    => "Delhi",
                "organizationName"       => "example.net",
                "organizationalUnitName" => "Security",
                "commonName"             => "example.net"
                );
$req_csr  = openssl_csr_new ($dn, $req_key);
$req_cert = openssl_csr_sign($req_csr, null, $req_key, 365);
openssl_x509_export ($req_cert, $out_cert);

echo $out_cert;

BACKGROUND : I need to implement PKI based data sharing/validating for some application. It would be involve some data entity (data entity would have its on public and private key) encrypted at source side and then send to destination. Then destination decrypt and get clear data. But that whole must involve PKI that means digital signature + digital certificate implementation along with.

Answer 1

This task isn't pretty straightforward in PHP. In fact, PHP isn't good tool for implementing CA stuff. It supports basic PKI operations but that's all. I see three options:

1. X.509 is just DER encoded ASN.1 structure. You can inspect it with guiDumpASN-ng for example. There are also some ASN.1 libraries in PHP world. Basicaly, the CA signature is inside certificate. If you'll able to extract it, you can then verify digital signature on your own.

http://php.net/manual/en/function.openssl-verify.php#98282

2. Try to use function like openssl-x509-checkpurpose that should be able to check certificate chain.

3. Try to use phpseclib - look at Validate X.509 certificates -> validateSignature().

I hope it will help you a little bit.

Answer 2

Do not mess up with implementing certificates validation by yourself but look for an implementation of the CPV (Certification Path Validation) algorithm, which includes all the validations required to be performed in a certification chain, where certificate signature validation is only one of them.

Now, I've been looking for a PHP API to perform CPV but I found none so I resorted to execute the following external OpenSSL command from PHP:

exec("openssl verify -CAfile trusted_root_cas.pem -untrusted intermediate_cas.pem endentity_cert.pem", $output, $return_var);
if ($return_var == 0) {
    echo "Certification path validation completed successfully";
} else {
    echo "Certification path validation completed with errors";
}

Where all trusted_root_cas.pem, intermediate_cas.pem and endentity_cert.pem could be temporal files created just for the execution of the previous command.

Now, if you want to know what openssl verify does, execute man verify:

The verify command verifies certificate chains.