On 10/25/2018 3:20 PM, Martin Galvan via curl-library wrote: > When using the CURLINFO_CERTINFO, the documentation says that a struct > curl_certinfo gets populated with the peer's certificate chain, and > the certs are accessible through the 'certinfo' member, which is an > array. I'm wondering whether this array is "ordered", in that > certinfo[num_of_certs -1] would return the top cert in the chain (be > it the root cert or the last intermediate). If not, what would be a > good way to detect which cert is the top, other than sorting them by > Subject/Issuer?
I haven't checked all the backends so it might be implementation specific, but I'll speak to OpenSSL. In openssl.c SSL_get_peer_cert_chain is used to get the certinfo and according to OpenSSL doc it "returns the peer chain as sent by the peer" [1][2]. Since the RFC requires the peer's cert first and "each following certificate MUST directly certify the one preceding it" we can assume there's order. Therefore I think you'd be right about the ordering in *typical* cases but nothing is guaranteed. [1]: https://github.com/curl/curl/blob/curl-7_61_1/lib/vtls/openssl.c#L2914 [2]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_peer_cert_chain.html ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
