[openssl-users] Certificate Verify and non-root Trust Anchors

Dr. Pala madwolf at openca.org
Tue Dec 12 00:35:05 UTC 2017

Hi Victor,

On 12/11/17 4:18 PM, Viktor Dukhovni wrote:
> [...]
> Perhaps you ended up creating a parameter structure with a
> depth limit that's too small.  Just configuring partial
> chains will never yield a chain that is longer than it
> otherwise would be.  In fact you generally get shorter
> chains.  So, no this is not a result of using the
> new flag, but may be a result of how you're going about
> setting the flag.
I actually do not set anything but the flag in the verify parameter, 
that is (error checking removed for clarity):

    param = X509_VERIFY_PARAM_new();
    X509_STORE_CTX_set0_param(ctx, param);
    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
    X509_STORE_CTX_set0_trusted_stack(ctx, trustedCerts); //
    trustedCerts has only the SubCA
    ret = X509_verify_cert(ctx);

    fprintf(stderr, "[%s:%d] ctx->error = %d (%s)\n\n", __FILE__, __LINE__,

With this setting, I get the error.. which is the strange part as you 
said (the chain can not be longer :D). Maybe the code thinks that if you 
have a SubCA then you should have an additional level.. and since you do 
not have it, it sends the error... ???
>> ... any suggestion on how to fix this ? Do you think it is actually a bug ? ... or am I missing some other configs / setting I should have done for the verify param ?
> You should obtain a reference to the existing parameters
> from the context, and modify these to add the new flag.
Well.. considering the code structure, the flags should be ok (since I 
just set it and then use it right away...) ???


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171211/676041e8/attachment-0001.html>

More information about the openssl-users mailing list