I have code that takes a pem and does the PEM_read_bio_X509 to load
the certificate, then does
doStuff(SSL_CTX* actx, X509 *cert509) {
X509_STORE *store = SSL_CTX_bet_cert_store(actx);
X509_STORE_add_cert(store, cert509);
}
And everything is all hunky and dory if the subject and issuer match, the
verify results from teh SSL_CTX *ctx after establishing a connection are
valid.
I hit a snag when a certificate's issuer/subject field don't match (e.g. I have
a root cert that is ID'd with:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:4f:fa:b3:c5:e6:69:c4:d1:67:c9:92:ab:e8:58:c4
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For
authorized use only, OU=VeriSign Trust Network
Validity
Not Before: Mar 25 00:00:00 2009 GMT
Not After : Mar 24 23:59:59 2019 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network,
OU=Terms of use at https://www.verisign.com/rpa (c)09, CN=VeriSign
Class 3 Secure Server CA - G2
Subject Public Key Info:
and the verify results are failing with error code 20 (unable to
retrieve local copy...)
The sample verify apps have the concept of a trusted cert that can anchor
the chain even if the Issuer/Subject aren't identical, and they load these with
X509_STORE_CTX_trusted_stack(X509_STORE_CTX*, STACK*)
Is there a way to load trusted certs into the SSL_CTX* so the handshake
and validation will not fail with the 20 error if I have the certificates ahead
of time?
Dan Schmitt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
