[openssl-users] Certificate Verify and non-root Trust Anchors

Michael Richardson mcr at sandelman.ca
Mon Dec 11 23:27:39 UTC 2017


I believe that I ran into a similar problem where by I could not pin
('trust') an intermediate certificate (which was not self-signed) for the
purposes of verifying a CMS/PKCS7 object.

I don't have a solution, and I believe that work is required.

Dr. Pala <director at openca.org> wrote:
    > I am trying to verify a certificate and provide the possibility to
    > directly trust an intermediate CA's certificate (not self-signed).
    > After setting up the STORE and STORE_CTX and add the intermediate CA to
    > the trusted certificates, when I use the "X509_verify_cert(ctx)" I get
    > the usual "unable to get issuer certificate" - which would be fine for
    > a "non-trusted" cert, but I would expect that to not be an issue for a
    > trusted certificate.

    > Therefore, my question is what is the best method to have that behavior
    > ?

    > I tried to use the certificate callback to do that, but there is no
    > function to get the trusted certificates' stack (i.e., there is a
    > X509_STORE_CTX_get0_untrusted() but there is no equivalent for the
    > trusted certificates' stack) - so I could not verify if the current
    > certificate (in the verify callback call) is in the trusted stack or
    > not...

    > Maybe there are flags / trust settings that can be used instead ?

    > Cheers, Max

    > --
    > Best Regards, Massimiliano Pala, Ph.D.  OpenCA Labs Director OpenCA
    > Logo



    > --
    > openssl-users mailing list To unsubscribe:
    > https://mta.openssl.org/mailman/listinfo/openssl-users


--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/3e080c4f/attachment.sig>


More information about the openssl-users mailing list