Name

x509_certificate_verify — Verifies X.509 certificate

Synopsis

varchar x509_certificate_verify ( in cert varchar ,
in cacerts any ,
in flags varchar );

Description

This function takes a X.509 certificate and verifies it against list of CA certificates. It checks for various certificate attributes such as self signed, expiration date etc. If an error is detected it will be signalled.

The certificates are passed as a strings containing X.509 certificate binary data in DER (raw) format.

Parameters

cert

The X.509 certificate to be verified

cacerts

array of strings containing CA certificates

flags

A string containing comma separated list of verification options. See table below for valid values.

Table24.117.Values for flags

Option Description
expired Do not check for expiration
self-signed Do not treat self signed certificate as error
invalid-ca Ignore invalid CA
invalid-purpose Ignore invalid certificate purpose
unhandled-extension Ignore unhandled critical extension

Return Types

None

Errors

Table24.118.Errors signalled by x509_certificate_verify

SQLState Error Code Error Text Description
22023 CR014 Invalid certificate The input can't be decoded as a X.509 certificate
22023 CR016 Can not allocate a X509 store
22023 CR019 Invalid CA certificate Some of CA certificates can not be loaded due to bad format
22023 CR017 Can not allocate X509 verification context
22023 CR018 Can not initialize X509 verification context
22023 CR015 X509 error: [the verification error text]

Examples

Example24.454.Verification of a X.509 certificate

    SQL> x509_certificate_verify (file_to_string ('keys/srv/cert.cer'), vector (file_to_string ('keys/srv/ca.cer')), 'self-signed');

    Done. -- 29 msec.