Re: Verification of X509 certificate

Mon, 07 Jul 2008 04:00:27 -0700 

Thank you for your answer.

Here's how we implemented our trust center with our SslCertificate class
that wraps a X509 pointer:

// BEGIN CODE //////////////////////////////////////////////////
X509_STORE * x509Store = SSL_CTX_get_cert_store(m_sslContext);

// m_settings.m_caCertificates is a "std::list<SslCertificate>"
it = m_settings.m_caCertificates.begin();

while(it != m_settings.m_caCertificates.end())
{
        if (!(*it).isNull())
        {
                X509 * x509 = (*it).getX509();
                X509_STORE_add_cert(x509Store, x509);
        }

        it++;
}
// END CODE ////////////////////////////////////////////////////

The code works in our case but I don't know if it works in general
because I don't know how to handle CRLs. Do I need a CRL file for every
certificate or only for CA ones? Or does OpenSSL automatically gets the
CRLs during verification process? Is there a difference in verification
when using "X509_STORE_add_cert" or "SSL_CTX_load_verify_locations"?

I ask this because during coding, I found this function:
"X509_STORE_add_crl".

Konrad


Dr. Stephen Henson schrieb:
> On Sun, Jul 06, 2008, Konrad Kleine wrote:
> 
>> Back to the point:
>>
>> 0)   How can we get the X509-certificate store that we trust?
>>      Is this correct?
>>      
>>      SSL_CTX * context = ...
>>      X509_STORE * store = context->cert_store;
>>
> 
> You should call X509_CTX_get_cert_store() and not access the structure 
> directly.
> 
>> 1)   How can we add a bunch of "X509*" to the X509-certificate-store
>>      that we trust?
>>
> 
> X509_STORE_add_cert().
> 
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           [EMAIL PROTECTED]
> 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to