You can also consider using function
int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk), if a stack of certs is
available.
Rick
From: Marek Marcola <[EMAIL PROTECTED]>
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Validating Cert Chain
Date: Sat, 26 Aug 2006 01:22:19 +0200
Hello,
> Hi,
> How do i validate a certificate chain. is there a EVP api for it ?
> thanks
If we are talking about verifying X509 cert against CA certs this
may be done for example like:
-----------------------------
FILE *fp;
X509_STORE * CAcerts;
X509 * cert;
X509_STORE_CTX ca_ctx;
char *strerr;
/* load CA cert store */
if (!(CAcerts; = X509_STORE_new())) {
goto err;
}
if (X509_STORE_load_locations(CAcerts, "cacert.pem", NULL) != 1) {
goto err;
}
if (X509_STORE_set_default_paths(CAcerts) != 1) {
goto err;
}
/* load X509 certificate */
if (!(fp = fopen ("cert.pem", "r"))){
goto err;
}
if (!(cert = PEM_read_X509 (fp, NULL, NULL, NULL))){
goto err;
}
/* verify */
if (X509_STORE_CTX_init(&ca_ctx, CAcerts, cert, NULL) != 1) {
goto err;
}
if (X509_verify_cert(&ca_ctx) != 1) {
strerr = (char *) X509_verify_cert_error_string(ca_ctx.error);
printf("Vrification error: %s", strerr);
goto err;
}
X509_STORE_free(CAcerts);
X509_free(cert);
Hope this helps.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
_________________________________________________________________
Check the weather nationwide with MSN Search: Try it now!
http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]