Name
x509_certificate_verify — Verifies X.509 certificate
Synopsis
varchar
x509_certificate_verify
(
|
in cert varchar , |
| in cacerts any , | |
in
flags
varchar
); |
Description
This function takes a X.509 certificate and verifies it against list of CA certificates. It checks for various certificate attributes such as self signed, expiration date etc. If an error is detected it will be signalled.
The certificates are passed as a strings containing X.509 certificate binary data in DER (raw) format.
Parameters
cert
The X.509 certificate to be verified
cacerts
array of strings containing CA certificates
flags
A string containing comma separated list of verification options. See table below for valid values.
Table 24.116. Values for
flags
| Option | Description |
|---|---|
| expired | Do not check for expiration |
| self-signed | Do not treat self signed certificate as error |
| invalid-ca | Ignore invalid CA |
| invalid-purpose | Ignore invalid certificate purpose |
| unhandled-extension | Ignore unhandled critical extension |
Return Types
None
Errors
Table 24.117. Errors signalled by
x509_certificate_verify
| SQLState | Error Code | Error Text | Description |
|---|---|---|---|
| 22023 | CR014 | Invalid certificate | The input can't be decoded as a X.509 certificate |
| 22023 | CR016 | Can not allocate a X509 store | |
| 22023 | CR019 | Invalid CA certificate | Some of CA certificates can not be loaded due to bad format |
| 22023 | CR017 | Can not allocate X509 verification context | |
| 22023 | CR018 | Can not initialize X509 verification context | |
| 22023 | CR015 | X509 error: [the verification error text] |
Examples
Example 24.454. Verification of a X.509 certificate
SQL> x509_certificate_verify (file_to_string ('keys/srv/cert.cer'), vector (file_to_string ('keys/srv/ca.cer')), 'self-signed');
Done. -- 29 msec.