On Jun 17, 2019, at 11:35 PM, Tobias Wolf <wolf.tobias@xxxxxxx> wrote: > The specification said about sorting and providing the pki path in correct order. Ah, I thought you were asking about producing the correct DER representation, not assembling the list of certs. In that case, take a look at the documentation for X509_verify_cert() and X509_STORE_add_cert() (also see X509_STORE_CTX_init(), X509_VERIFY_PARAM_*(), X509_STORE_CTX_get*_chain()). This will discover and validate a trust chain from a specified certificate to any of a set of trust anchors, via a set of possible intermediate certificates. The resulting chain should be ordered properly (you may need to reverse the order). If you don't want to spend the extra time verifying signatures and constraints and so on, you might be able to turn that off by setting some options. I think the X509_STORE_add_cert() manpage has the most comprehensible description of how these pieces fit together.
