> On Mon, 2010-05-10 at 14:43 -0400, Chris Bare wrote:
> > Is there a way get have X509_verify_cert retry it's path building after it
> > gets an X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT?
> > My idea is to implement a verify callback that uses the AIA information to
> > download the issuer cert and add it to the stack of untrusted certs.
> > Is this possible, or would I have to let X509_verify_cert error out and call
> > it again?
>
> How about...
>
> int my_get_issuer_func(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
> {
> int ret = X509_STORE_CTX_get1_issuer(issuer, ctx, x);
>
> if (ret > 0)
> return ret;
>
> /* Do whatever you need to look up the issuer... */
> }
>
> ... and somewhere else in your SSL_CTX setup:
>
> X509_STORE *store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
> store->get_issuer = my_get_issuer_func;
>
> --
> David Woodhouse Open Source Technology Centre
> david.woodho...@intel.com Intel Corporation
>
That's almost perfect, but doesn't putting it inside the X509_STORE like this
tell the rest of the code it's trusted? If I'm downloading it using AIA I
can't trust it and still need to chain up to a trusted root.
It's too bad the verify function takes a STORE for trusted certs and a stack
for other certs. If both were STOREs I could do exactly what you describe
above.
--
Chris Bare
ch...@bareflix.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
