On Mon, Oct 09, 2023 at 03:31:45PM +0200, David von Oheimb via openssl-users wrote: > What likely comes very close to what you asked for is the function > X509_build_chain() added in https://github.com/openssl/openssl/pull/14128. > You can call it, e.g., like this: > > chain = X509_build_chain(target_cert, candidate_certs, NULL /* truststore > */, 1, NULL, NULL); > > See https://www.openssl.org/docs/manmaster/man3/X509_build_chain.html for > its man page. Long-standing Prior practice is to add all the candidate certificates in a "store" and/or as a list of candidate "untrusted" chain certificates, and then attempt to "verify" the EE (leaf) certificate, as was done, for example, the internal to the SSL library function ssl_build_cert_chain(): https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/ssl_cert.c#L756-L863 That function is quite general, and attends to various details (Suite-B, security levels, ...) that most users don't need to bother with. A much shorter version can be specialised from its core elements: 1. Initialise a verification context: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/ssl_cert.c#L801-L804 2. Request chain verification: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/ssl_cert.c#L809 3. Optionally clean up the error stack. https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/ssl_cert.c#L810-L812 4. Request the constructed chain: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/ssl/ssl_cert.c#L816-L817 The new X509_build_chain() is convenient, but not essential. Constructing a chain is possible also with earlier releases of OpenSSL. If you choose to present the candidate chain certificates as a "store", you can also mark some of them as "trusted" (if not implicitly "trusted" by virtue of being self-signed), by decorating them with one or more trusted "purpose" OIDs, and then build a chain "up to" one of the trusted certificates, rather than a root CA. To add a trust OID to a certificate, call X509_add1_trust_object(), for a manpage is sorely missing... -- Viktor.
