Thanks for all the reponse,
i have a question about this following method
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
X509 *x509, STACK_OF(X509) *chain);
if i understand this correctly the argument 'x509' is the cert that u want
to be verified & the 'chain' is the chain of untrusted certificates(leading
up to a cert that is trusted or root, right ?).
So i one calls X509_verify_cert(X509_STORE_CTX); it would verify the x509
cert specified as well as all the chain. is that correct ?
also how do i get a STACK_OF(X509) from files containg pem certs ?
-kb
From: Marek Marcola <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Validating Cert Chain
Date: Sat, 26 Aug 2006 01:22:19 +0200
Hello,
> Hi,
> How do i validate a certificate chain. is there a EVP api for it ?
> thanks
If we are talking about verifying X509 cert against CA certs this
may be done for example like:
-----------------------------
FILE *fp;
X509_STORE * CAcerts;
X509 * cert;
X509_STORE_CTX ca_ctx;
char *strerr;
/* load CA cert store */
if (!(CAcerts; = X509_STORE_new())) {
goto err;
}
if (X509_STORE_load_locations(CAcerts, "cacert.pem", NULL) != 1) {
goto err;
}
if (X509_STORE_set_default_paths(CAcerts) != 1) {
goto err;
}
/* load X509 certificate */
if (!(fp = fopen ("cert.pem", "r"))){
goto err;
}
if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
goto err;
}
/* verify */
if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, NULL) != 1) {
goto err;
}
if (X509_verify_cert(&ca_ctx) != 1) {
strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
printf("Vrification error: %s", strerr);
goto err;
}
X509_STORE_free(CAcerts);
X509_free(cert);
Hope this helps.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]