Plot Lost <plot.l...@gmail.com> writes: [...]
> For this particular project I'm required to check each step > individually, not the entire chain at once. That's what verifying the chain does (see the implementation of X509_verify_cert()). You could add a callback using X509_STORE_CTX_set_verify_cb(). That doesn't seem to have a separate manpage but reading the manpage for SSL_CTX_set_verify() should explain it. (SSL_CTX_set_verify() just sets the callback in X509_STORE_CTX.) > How can I get verify_cert to say that the server cert is ok according > to the inter cert, regardless of any other cert that may be needed to > complete the chain. (The code will then go on to check inter against > root, or against another inter etc as needed asuming each step is > completed ok) Presuming using X509_verify_cert() and a callback really isn't suitable, you can use X509_check_issued() to see if one certificate issued another and check the signature by getting the public key (X509_get_pubkey()) and verifying using X509_verify(). Or something like that; really it seems safer to me to use X509_verify_cert(). There are checks that have to be performed in context which X509_verify_cert() does (path constraints, policy constraints, etc.), and it seems easy to skip a few if you're not careful. (See section 6 of RFC 5280.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
