I believe that I ran into a similar problem where by I could not pin
('trust') an intermediate certificate (which was not self-signed) for the
purposes of verifying a CMS/PKCS7 object.
I don't have a solution, and I believe that work is required.
Dr. Pala <director@xxxxxxxxxx> wrote:
> I am trying to verify a certificate and provide the possibility to
> directly trust an intermediate CA's certificate (not self-signed).
> After setting up the STORE and STORE_CTX and add the intermediate CA to
> the trusted certificates, when I use the "X509_verify_cert(ctx)" I get
> the usual "unable to get issuer certificate" - which would be fine for
> a "non-trusted" cert, but I would expect that to not be an issue for a
> trusted certificate.
> Therefore, my question is what is the best method to have that behavior
> ?
> I tried to use the certificate callback to do that, but there is no
> function to get the trusted certificates' stack (i.e., there is a
> X509_STORE_CTX_get0_untrusted() but there is no equivalent for the
> trusted certificates' stack) - so I could not verify if the current
> certificate (in the verify callback call) is in the trusted stack or
> not...
> Maybe there are flags / trust settings that can be used instead ?
> Cheers, Max
> --
> Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA
> Logo
> --
> openssl-users mailing list To unsubscribe:
> https://mta.openssl.org/mailman/listinfo/openssl-users
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
