Richard Levitte - VMS Whacker wrote:
>
>
> OK, I see what you mean. What is happening is that get_cert_chain()
> in apps/pkcs12.c does a "verification" of the cert against an empty
> certificate store. However, it does call X509_STORE_set_default_paths(),
> which fills in the defaults you see. From what I can see, this is
> unconditional.
>
> Personally, I've no problem with those defaults as they are, and the
> X509_get_default_*() functions are designed to give the library-
> specific defaults. What I do have a problem with is the way
> get_cert_chain() in pkcs12.c is designed, as it takes no external
> input whatsoever except for the cert to be exported.
>
> Steve, since you've made this thingy, perhaps you can tell us the
> reason for the current design, if there is any?
>
Yes there isn't any ;-)
Actually the -chain option doesn't do anything special other than
automatically add the correct certificate chain, the same functionality
can be obtained with the -certfile option if you manually work out the
chain.
I suppose it would be better if it included standard -CAfile and -CApath
arguments.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
