[openssl-users] Certificate Verify and non-root Trust Anchors

Viktor Dukhovni openssl-users at dukhovni.org
Mon Dec 11 22:18:53 UTC 2017



> On Dec 11, 2017, at 5:06 PM, Dr. Pala <director at openca.org> wrote:
> 
> Hi all,
> 
> I am trying to verify a certificate and provide the possibility to directly trust an intermediate CA's certificate (not self-signed). After setting up the STORE and STORE_CTX and add the intermediate CA to the trusted certificates, when I use the "X509_verify_cert(ctx)" I get the usual "unable to get issuer certificate" - which would be fine for a "non-trusted" cert, but I would expect that to not be an issue for a trusted certificate.
> 
> Therefore, my question is what is the best method to have that behavior ?
> 
> I tried to use the certificate callback to do that, but there is no function to get the trusted certificates' stack (i.e., there is a X509_STORE_CTX_get0_untrusted() but there is no equivalent for the trusted certificates' stack) - so I could not verify if the current certificate (in the verify callback call) is in the trusted stack or not...
> 
> Maybe there are flags / trust settings that can be used instead ?

It seems we've neglected to document the X509_V_FLAG_PARTIAL_CHAIN
flag, which can be passed to X509_VERIFY_PARAM_set_flags() to
permit intermediate trust-anchors.

https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_set_flags.html
https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set_flags.html


-- 
-- 
	Viktor.



More information about the openssl-users mailing list