Re: Validating Cert Chain

Tue, 29 Aug 2006 15:50:04 -0700 

Thanks for all the reponse,

i have a question about this following method

int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
                         X509 *x509, STACK_OF(X509) *chain);
if i understand this correctly the argument 'x509' is the cert that u want to be verified & the 'chain' is the chain of untrusted certificates(leading up to a cert that is trusted or root, right ?). So i one calls X509_verify_cert(X509_STORE_CTX); it would verify the x509 cert specified as well as all the chain. is that correct ? 
also how do i get a STACK_OF(X509) from files containg pem certs ?

-kb


From: Marek Marcola <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Validating Cert Chain
Date: Sat, 26 Aug 2006 01:22:19 +0200

Hello,
> Hi,
> How do i validate a certificate chain. is there a EVP api for it ?
> thanks
If we are talking about verifying X509 cert against CA certs this
may be done for example like:
-----------------------------

FILE *fp;

X509_STORE * CAcerts;
X509 * cert;

X509_STORE_CTX ca_ctx;
char *strerr;

/* load CA cert store */
if (!(CAcerts; = X509_STORE_new())) {
   goto err;
}
if (X509_STORE_load_locations(CAcerts, "cacert.pem", NULL) != 1) {
   goto err;
}
if (X509_STORE_set_default_paths(CAcerts) != 1) {
   goto err;
}

/* load X509 certificate */
if (!(fp = fopen ("cert.pem", "r"))){
   goto err;
}
if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
   goto err;
}

/* verify */
if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, NULL) != 1) {
   goto err;
}

if (X509_verify_cert(&ca_ctx) != 1) {
   strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
   printf("Vrification error: %s", strerr);
   goto err;
}

X509_STORE_free(CAcerts);
X509_free(cert);

Hope this helps.

Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to