Aravinda babu wrote:
Hi all,

First of all thanks for all of your suggestions and information.I got a clear idea of how to do the required thing.
I forgot to mention one thing.

We are making one library for certificate management which will be used by different applications.In that library we have one API which will verify the certificate given as input parameter.So i don't have any SSL context or SSL STORE context with me.Just application passes one certificate in X509 * and i have to verify that certificate.I think you got my point.My library doesn't have any touch with SSL session etc.......


Now to verify that certificate i have to prepare a certificate chain from the application supplied certificate.Is it possible to do this ?

With only one certificate?? no! You must at least have the issuer certificate
that signed the certificate you are trying to verify, and you must have
some reason to trust the issuer certificate. i.e. it is in a root store
on the local disk, or supplied with you application, or OS vendor...

In some cases there may be an intermediate CA, or CAs. These are then
part of the chain. (SSL may send these, if you where using SSL.)

But in any case, with our without intermediate CAs, you still must
have some way (other then the user sent it to you) to trust the final
certificate in the chain.

Look at the openssl verify command.


Thanks once again to all,

Cheers,
Aravind.

On Thu, Nov 6, 2008 at 8:21 PM, Patrick Patterson <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:

    Hi Aravind:

    On November 6, 2008 01:51:20 am Aravinda babu wrote:
     > Hi all,
     >
     > Is there any OpenSSL API which will prepare the certificate chain
    from the
     > peer certificate given as input ????????? I have only peer
    certificate.I
     > have to build the cert chain from this ....
     >
    This was already answered yesterday - the answer is: If you want to
    use "raw"
    OpenSSL, then it can be done in the _verify() callbacks. There are many
    examples out there that may give you an idea of how to do this.

    There are also other libraries and systems that already have this
    work done
    for you, and you just have to call that library's callback in the
    appropriate
    place in your code (usually in the set verify callback section).

    Please take a look at the messages from yesterday. Is there a single
    API call
    that will do this? - no. And depending on what you mean by "prepare a
    certificate chain", you will have different requirements. If you
    want to do
    full Path Discovery and Validation (build the certification chain
    back to a
    pre-established trust anchor, using certificates that you may or may not
    already have, and verify and validate each link in that chain using the
    algorithms from PKIX) then something like the Pathfinder callback (I
    won't
    link to it again, please check the previous post) is what you want.
    If you
    only want to check the signatures and perform some cursory checks,
    then the
    existing OpenSSL API's have this covered. If you want to know how to
    write
    that code, then I would suggest picking up the O'Rilley OpenSSL book, or
    looking at the code in the OpenSSL source tree - there are many
    examples in
    there already that may do what you want.

    Or, you could hire someone to do the integration for you. :)

    Have fun.

    --
    Patrick Patterson
    President and Chief PKI Architect,
    Carillon Information Security Inc.
    http://www.carillon.ca
    ______________________________________________________________________
    OpenSSL Project                                 http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Automated List Manager [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>



--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to