Re: OpenSSL API which build the chain from a peer certificate

Wed, 05 Nov 2008 08:42:15 -0800 


Aravinda babu wrote:

Hi all,


Is there any OpenSSL API which will prepare the certificate chain from 
the peer certificate given as input ????????? I have only peer 
certificate.I have to build the cert chain from this ....


As Patrick pointed out, you can use raw OpenSSL, for example the Globus
code used to do this:

     SSL_CTX_set_verify(context->cred_handle->pcd->gs_ctx,
        SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
        proxy_verify_callback);


 /**********************************************************************
Function: proxy_verify_callback()
...
   Also on the server side, the s3_srvr.c code does not appear
    to save the peer cert_chain, like the client side does.
    We need these for additional proxies, so we need to
    copy the X509 to our own stack.
...
int
proxy_verify_callback(int ok, X509_STORE_CTX * ctx)
{
...
    /*
     * If we are being called recursivly to check delegate
     * cert chains, or being called by the grid-proxy-init,
     * a pointer to a proxy_verify_desc will be
     * pased in the store.  If we are being called by SSL,
     * by a roundabout process, the app_data of the ctx points at
     * the SSL. We have saved a pointer to the  context handle
     * in the SSL, and its magic number should be PVD_MAGIC_NUMBER
     */
    if ((pvd = (proxy_verify_desc *)X509_STORE_CTX_get_ex_data(ctx,
                PVD_STORE_EX_DATA_IDX))) {
#ifdef DEBUG
    fprintf(stderr,"Called with alternate ex_data\n");
#endif
    } else {
        ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
        pvd = (proxy_verify_desc *)SSL_get_ex_data(ssl,
                    PVD_SSL_EX_DATA_IDX);
    }

    /*
     * For now we hardcode the ex_data. We could look at all
     * ex_data to find ours.
     * Double check that we are indeed pointing at the context
     * handle. If not, we have an internal error, SSL may have changed
     * how the callback and app_data are handled
     */
...

    /* We need to make up a cert_chain if we are the server.
     * The ssl code does not save this as I would expect.
     * This is used to create a new proxy by delegation.
     */

    if (pvd->cert_chain == NULL) {
        pvd->cert_chain = sk_X509_new_null();
    }
    sk_X509_push(pvd->cert_chain, X509_dup(ctx->current_cert));






Thanks in advance,
Aravind.


--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to