On Thu, Feb 11, 2010 at 1:31 PM, <skillz...@gmail.com> wrote: > I have a DER-encoded PKCS#7 file that I'd like to extract the > certificate from, verify that certificate against a specific sub-CA > certificate, then use the certificate's public key to verify a > signature. > > I looked at the code for the pkcs7 tool and it looks directly inside > the PKCS7 object to check the type and extract the X509 certificates. > Is that the best way to do it? Is there a way that doesn't require > relying on the internal structure of the PKCS7 object? > > When I try to verify the certificate, it fails with "unable to get > local issuer certificate". However, I've added my sub-CA certificate > to the X509_STORE object and if I look inside the certificate I'm > verifying, its X509v3 Authority Key Identifier matches the sub-CA's > X509v3 Subject Key Identifier. I've verified using another tool > (Keychain on a Mac, which may use OpenSSL underneath) that the > certificate chain is valid. I'm able to use OpenSSL programmatically > verify that the sub-CA certificate is valid against the root, but not > the leaf certificate against the sub-CA certificate. Is there > something I'm missing?
I figured out that if I use 'openssl verify -CAfile root.pem -untrusted subCA.pem cert.pem' then it works and returns OK. So it seems that even if I specify the sub-CA certificate as the -CAfile, it needs the full chain. Is there a way (via the API rather than the tool) to tell OpenSSL that the sub-CA certificate is trusted and it doesn't need to walk further up the chain? For my case, I embed the sub-CA certificate in my code and I'm space constrained so I'd prefer to not include the entire certificate chain. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org