<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Victor,</p>
<div class="moz-cite-prefix">On 12/11/17 4:18 PM, Viktor Dukhovni
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:30B1FCD4-95F6-4D95-B971-1A751C8FF8D5@dukhovni.org">[...]
<br>
<br>
Perhaps you ended up creating a parameter structure with a<br>
depth limit that's too small. Just configuring partial<br>
chains will never yield a chain that is longer than it<br>
otherwise would be. In fact you generally get shorter<br>
chains. So, no this is not a result of using the<br>
new flag, but may be a result of how you're going about<br>
setting the flag.<br>
</blockquote>
I actually do not set anything but the flag in the verify parameter,
that is (error checking removed for clarity):
<blockquote>
<p><tt>param = X509_VERIFY_PARAM_new();<br>
X509_STORE_CTX_set0_param(ctx, param);<br>
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);<br>
X509_STORE_CTX_set0_trusted_stack(ctx, trustedCerts); //
trustedCerts has only the SubCA<br>
ret = X509_verify_cert(ctx);<br>
<br>
fprintf(stderr, "[%s:%d] ctx->error = %d (%s)\n\n",
__FILE__, __LINE__, <br>
X509_STORE_CTX_get_error(ctx),<br>
X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)));<br>
<br>
</tt></p>
</blockquote>
With this setting, I get the error.. which is the strange part as
you said (the chain can not be longer :D). Maybe the code thinks
that if you have a SubCA then you should have an additional level..
and since you do not have it, it sends the error... ???
<blockquote type="cite"
cite="mid:30B1FCD4-95F6-4D95-B971-1A751C8FF8D5@dukhovni.org">
<blockquote type="cite">
<pre wrap="">... any suggestion on how to fix this ? Do you think it is actually a bug ? ... or am I missing some other configs / setting I should have done for the verify param ?
</pre>
</blockquote>
<pre wrap="">
You should obtain a reference to the existing parameters
from the context, and modify these to add the new flag.
</pre>
</blockquote>
Well.. considering the code structure, the flags should be ok (since
I just set it and then use it right away...) ???<br>
<br>
Thanks,<br>
Max<br>
<br>
</body>
</html>