Getting the CERT chain

Thu, 11 Jul 2002 08:00:46 -0700 

Question 1:

Is there a simple way using exported (i.e. - available
to general use via the openssl library and having definitions
in openssl.h) OpenSSL functions to do the following:

   During the SSL connection process, if a user CERT has
   been presented, get the cert chain?

Here is the code that I am using the check the
USER certificate.  Note that I uses SSL_get_peer_certificate(ssl)
to get the peer certificate.

Is there a function such as SSL_get_issuer_certifivate(ssl,peer)?
 i.e. - issuer = SSL_get_issuer_certificate( ssl, peer );

If not,  then where can I find a code template or the internal
information to write one?

    /* now we check to see which server we talked to */
    verify_result = SSL_get_verify_result(ssl);

    if( verify_result != X509_V_OK ){
        DEBUG1("Open_SSL_connection: SSL_get_verify_result '%s'",
        X509_verify_cert_error_string(verify_result) );
        SNPRINTF(errmsg,errlen)
            "SSL_connect failed, peer certificat not verified: '%s'",
                X509_verify_cert_error_string(verify_result) );
        status = -1;
        goto done;
    } else {
        X509 *peer;
        peer = SSL_get_peer_certificate(ssl);
        if( peer ){
            if( X509_NAME_oneline( X509_get_subject_name( peer ),
                buffer, sizeof(buffer) ) ){
                DEBUG1("Open_SSL_connection: subject '%s'", buffer );
                if( info ) Set_str_value(info,SERVER,buffer);
            }
            if( X509_NAME_oneline( X509_get_issuer_name( peer ),
                buffer, sizeof(buffer) ) ){
                if( info ) Set_str_value(info,ISSUER,buffer);
                DEBUG1("Open_SSL_connection: issuer '%s'", buffer );
            }
            /* the SSL_get_peer_certificate man page indicates that
                this memory is not freed */
            X509_free(peer); peer = 0;
        }
    }


Question 2:
   Now I just KNOW that I saw this,  and everybody is going to laugh at this,
   but:

   If I have found a CERT using, say, peer = SSL_get_peer_certificate(ssl)
   as in the example above,  and I have a list of CERTS in a file or
   directory (i.e. - as for the CA cert, etc), how can I check to see
   if the peer cert (in the example) is in this list or directory?

   I just KNOW that I saw this in some SSL or related code, but I cannot
   remember the exact details and searching has not found it again.


Patrick Powell                 Astart Technologies
[EMAIL PROTECTED]            6741 Convoy Court
Network and System             San Diego, CA 92111
  Consulting                   858-874-6543 FAX 858-279-8424 
LPRng - Print Spooler (http://www.lprng.com)
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to