On Mon, 2010-05-10 at 14:43 -0400, Chris Bare wrote:
> Is there a way get have X509_verify_cert retry it's path building after it
> gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT?
> My idea is to implement a verify callback that uses the AIA information to
> download the issuer cert and add it to the stack of untrusted certs.
> Is this possible, or would I have to let X509_verify_cert error out and call
> it again?
How about...
int my_get_issuer_func(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
int ret = X509_STORE_CTX_get1_issuer(issuer, ctx, x);
if (ret > 0)
return ret;
/* Do whatever you need to look up the issuer... */
}
... and somewhere else in your SSL_CTX setup:
X509_STORE *store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
store->get_issuer = my_get_issuer_func;
--
David Woodhouse Open Source Technology Centre
david.woodho...@intel.com Intel Corporation
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
