X509_build_chain() - Re: Request for Openssl APIs to be used to sort the certificate chain

[Brahmaji K]

Hi David,

Thanks a lot for your reply,

I'll provide more details of my question:
Let's assume I have 4 certs called Cert 1, Cert 2, Cert 3 and Cert 4, Cert
1 is a root cert. Assume the correct cert chain is - Cert 4 || Cert 3 ||
Cert 2 || Cert 1 (Here Cert 3 signed cert4, Cert 2 signed Cert 3, Cert 2 is
signed by root cert i.e., cert 1). If I got the certificate chain out of
order in a single file as - Cert 3 || Cert 2 || Cert 1 || Cert 4, then is
there a direct way (i.e., with any openssl API(s)), we can create the
certificates chain in the correct order as - Cert 4 || Cert 3 || Cert 2 ||
Cert 1?

As you mentioned, I'll try X509_build_chain() and update the result.

*Regards,*
*Brahmaji K*


On Mon, Oct 9, 2023 at 7:02 PM David von Oheimb via openssl-users <
openssl-users at openssl.org> wrote:

> Hi Brahmaji,
>
> what you mean by 'sorting' a cert chain - making sure they are in the
> order of issuance, starting from a given target cert,
> possibly assuming that the given list/set of certs is already known to be
> complete w.r.t. the given target cert and some trust anchor?
>
> What likely comes very close to what you asked for is the function X509_build_chain()
> added in https://github.com/openssl/openssl/pull/14128.
> You can call it, e.g., like this:
>
> chain = X509_build_chain(target_cert, candidate_certs, NULL /* truststore
> */, 1, NULL, NULL);
>
> See https://www.openssl.org/docs/manmaster/man3/X509_build_chain.html for
> its man page.
>
>     David
>
>
> On 09.10.23 08:51, Brahmaji K wrote:
>
> Hi Team,
>
> Could you please help provide Openssl APIs (or list of APIs) to be used to
> sort the certificates used in the certificate chain?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231009/18b05855/attachment-0001.htm>