[openssl-users] Certificate Verify and non-root Trust Anchors
Dr. Pala
director at openca.org
Mon Dec 11 22:06:48 UTC 2017
Hi all,
I am trying to verify a certificate and provide the possibility to
directly trust an intermediate CA's certificate (not self-signed). After
setting up the STORE and STORE_CTX and add the intermediate CA to the
trusted certificates, when I use the "X509_verify_cert(ctx)" I get the
usual "unable to get issuer certificate" - which would be fine for a
"non-trusted" cert, but I would expect that to not be an issue for a
trusted certificate.
Therefore, my question is what is the best method to have that behavior ?
I tried to use the certificate callback to do that, but there is no
function to get the trusted certificates' stack (i.e., there is a
X509_STORE_CTX_get0_untrusted() but there is no equivalent for the
trusted certificates' stack) - so I could not verify if the current
certificate (in the verify callback call) is in the trusted stack or not...
Maybe there are flags / trust settings that can be used instead ?
Cheers,
Max
--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/c2272008/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: doefdnpajoggmgfb.png
Type: image/png
Size: 3146 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/c2272008/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3994 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/c2272008/attachment.bin>
More information about the openssl-users
mailing list