[openssl-users] Certificate Verify and non-root Trust Anchors
mcr at sandelman.ca
Mon Dec 11 23:27:39 UTC 2017
I believe that I ran into a similar problem where by I could not pin
('trust') an intermediate certificate (which was not self-signed) for the
purposes of verifying a CMS/PKCS7 object.
I don't have a solution, and I believe that work is required.
Dr. Pala <director at openca.org> wrote:
> I am trying to verify a certificate and provide the possibility to
> directly trust an intermediate CA's certificate (not self-signed).
> After setting up the STORE and STORE_CTX and add the intermediate CA to
> the trusted certificates, when I use the "X509_verify_cert(ctx)" I get
> the usual "unable to get issuer certificate" - which would be fine for
> a "non-trusted" cert, but I would expect that to not be an issue for a
> trusted certificate.
> Therefore, my question is what is the best method to have that behavior
> I tried to use the certificate callback to do that, but there is no
> function to get the trusted certificates' stack (i.e., there is a
> X509_STORE_CTX_get0_untrusted() but there is no equivalent for the
> trusted certificates' stack) - so I could not verify if the current
> certificate (in the verify callback call) is in the trusted stack or
> Maybe there are flags / trust settings that can be used instead ?
> Cheers, Max
> Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA
> openssl-users mailing list To unsubscribe:
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 487 bytes
Desc: not available
More information about the openssl-users