<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi all,</p>
<p>I am trying to verify a certificate and provide the possibility
to directly trust an intermediate CA's certificate (not
self-signed). After setting up the STORE and STORE_CTX and add the
intermediate CA to the trusted certificates, when I use the
"X509_verify_cert(ctx)" I get the usual "unable to get issuer
certificate" - which would be fine for a "non-trusted" cert, but I
would expect that to not be an issue for a trusted certificate.</p>
<p>Therefore, my question is what is the best method to have that
behavior ?</p>
<p>I tried to use the certificate callback to do that, but there is
no function to get the trusted certificates' stack (i.e., there is
a X509_STORE_CTX_get0_untrusted() but there is no equivalent for
the trusted certificates' stack) - so I could not verify if the
current certificate (in the verify callback call) is in the
trusted stack or not...</p>
<p>Maybe there are flags / trust settings that can be used instead ?</p>
<p>Cheers,<br>
Max</p>
<div class="moz-signature">-- <br>
<div style="color: black; margin-top: 10px;">
Best Regards,
<div style="margin-top: 5px; margin-left: 0px; ">
Massimiliano Pala, Ph.D.<br>
OpenCA Labs Director<br>
</div>
<img src="cid:part1.672C0EE4.9B566301@openca.org"
style="vertical-align: 0px; margin-top: 10px; margin-left:
0px;" alt="OpenCA Logo"><br>
</div>
</div>
</body>
</html>