Hi, You can have a look at following files from openssl source code.
1. ssl_cert.c (around line number 626) 2. x509_vfy.c (around line number 153) 3. v3_purp.c (around line number 700). good luck! On Mon, Jul 23, 2012 at 8:41 AM, Ashok C <ash....@gmail.com> wrote: > Hi, > > I have a requirement to form a correct certificate chain (for a server > application, to send to client). > Currently I was forming the chain using the issuer-id and subject name > combination alone. > Eg: The algorithm followed was: > Let End entity(server certificate) be called as 'E'. Root certificate as > 'R' , and intermediate CA certificate be 'I'. > > > 1. Look up E's issuer-id. Let it be 'C=IN'. Chain at this step: "E" > 2. Search trust store for CA certificate which has this 'C=IN' as > subject name and add it to chain. This is "I". Chain at this step: "E-I" > 3. Look at issuer-id of I and search trust store which has it as > subject-name. In this case I will find 'R'. Since for 'R' issuer-id and > subject-name are same, this is considered to be root and hence not added to > chain. > > But, I find that this chain is not conclusive enough, as > subject-name==issuer-id is not a complete criteria for a root certificate > and also that "I" cannot be treated as issuer of "E" just because of the > success of the issuer-id/subject-name checks. > I read the openSSL verify man page and understood that checks related to > authority key identifier and subject key identifier are required to decide > upon the correct chain. > > So I presume that the logic should be modified to look something like this: > > > 1. Look up E's issuer-id. Let it be 'C=IN'. Chain at this step: "E" > 2. Search trust store for CA certificate which has this 'C=IN' as > subject name. This is "I". Check if authority key identifier of "E" is the > same as the subject key identifier of "I". If this is true, add it to > chain. Chain at this step: "E-I" > 3. Look at issuer-id of I and search trust store which has it as > subject-name. In this case I will find 'R'. Check if authority key > identifier of "I" is the same as the subject key identifier of "R". 'R' can > be concluded as the root only if subject-name==issuer-id and > authority-key-identifier==subject-key-identifier. > > Is this solution complete for a multi-level hierarchy? As of now, I do not > have to deal with cross-certification, though I am very interested to know > from you guys on the complications involved when that comes into the > picture. I understand there is RFC 4158 explaining this path formation, but > was wondering that needs to be read in detail only for the > cross-certification related parts. > > Does openSSL have any sample implementation somewhere for this path > formation(subject-key/authority-key checks) which I could use for reference? > Thanks in advance. > > Regards, > Ashok > > -- Regards, *Sukalp Bhople.*
