So I'm attempting to verify a certificate with OpenSSL 0.9.7 snapshot
(various versions). I trust my own CA, who's certificate is issued by a
Root (self-signed) CA that I do not wish to trust, because it has also
issued a CA certificate to Bad Guy Incorporated.
Right now if I build a chain up to my trusted sub-CA and call
X509_verify_cert, I get X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT or
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY errors, apparently because
the verifier is trying to chain all the way up to a self-signed root
certificate.
If I override those errors (carefully, of course), I then get
CERT_V_ERR_CERT_UNTRUSTED errors, because OpenSSL by default only trusts
self-signed certificates.
I can override these errors with a simple heuristic (check to see if the
certificate in question is my trusted sub-CA cert, and reset the error
if it matches), but I'm wondering if there is a better way to support
sub-CAs?
(It gets worse; I'm also calling an OCSP Responder for Sub-CA, and
OCSP_basic_verify checks to see if my Sub-CA is trusted for OCSP
Signing, although in this case I don't understand why self-signed
certificates are trusted and my sub-CA isn't).
--
Harald Koch <[EMAIL PROTECTED]>
"It takes a child to raze a village."
-Michael T. Fry
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
