[openssl-users] Certificate Verify and non-root Trust Anchors

Dr. Pala madwolf at openca.org
Mon Dec 11 23:03:51 UTC 2017

Hi Victor,

thanks :D I just tried to set it and I get a different error now : 22 
(certificate chain too long)... I suspect it is a side effect of using 
the  X509_V_FLAG_PARTIAL_CHAIN flag... ? (no chain restrictions are set 
in the certificates themselves...), but I have not dug into the vfy code 

... any suggestion on how to fix this ? Do you think it is actually a 
bug ? ... or am I missing some other configs / setting I should have 
done for the verify param ?


On 12/11/17 3:18 PM, Viktor Dukhovni wrote:
>> On Dec 11, 2017, at 5:06 PM, Dr. Pala <director at openca.org> wrote:
>> Hi all,
>> I am trying to verify a certificate and provide the possibility to directly trust an intermediate CA's certificate (not self-signed). After setting up the STORE and STORE_CTX and add the intermediate CA to the trusted certificates, when I use the "X509_verify_cert(ctx)" I get the usual "unable to get issuer certificate" - which would be fine for a "non-trusted" cert, but I would expect that to not be an issue for a trusted certificate.
>> Therefore, my question is what is the best method to have that behavior ?
>> I tried to use the certificate callback to do that, but there is no function to get the trusted certificates' stack (i.e., there is a X509_STORE_CTX_get0_untrusted() but there is no equivalent for the trusted certificates' stack) - so I could not verify if the current certificate (in the verify callback call) is in the trusted stack or not...
>> Maybe there are flags / trust settings that can be used instead ?
> It seems we've neglected to document the X509_V_FLAG_PARTIAL_CHAIN
> flag, which can be passed to X509_VERIFY_PARAM_set_flags() to
> permit intermediate trust-anchors.
> https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_set_flags.html
> https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set_flags.html

More information about the openssl-users mailing list