On 8/2/2012 10:04 AM, Ashok C wrote:
Hi,
Is there a way in which I can determine the correct issuer certificate
of an issued certificate(either intermediate CA or end entity) based
on comparing immediate pair alone.
Eg:
My hierarchy is like this:
Root
Intermediate CA 1
Intermediate CA 2
End entity
Is it possible to determine that Intermediate CA2 is the issuer of the
End entity certificate without having to traverse the full hierarchy?
I do not want to depend upon issuername-subjectname comparisons
alone(As this is not deterministic and conclusive).
I do not want to depend upon Authority Key Identifier /Subject Key
Identifier's keyId fields(As most CAs seem to not have this extension
at all)
Those two are the standard ways though (specifically, doing both if
Authority Key Identifier is present).
Basically I want some signature check method from openSSL can take two
certificates as input and tell me if one has issued the other:
int openSSL_signature_check(X509* issuer_certificate, X509*
issued_certificate)
{
int return_code = signature_check(issuer_certificate,
issued_certificate)
if (0 == return_code)
return YES_ISSUER_IS_CORRECT;
else
return NO_ISSUER_IS_NOT_CORRECT;
}
In other words you are looking for a function to verify a certificate
given exactly one possible issuer.
Is something like this already available in openSSL?
I guess it at least exists as an internal function called from the
verify code, so look at the source code for that and see if you find a
call to a function that does what you want.
Alternatively, you could set up a "certificate collection" object in
memory containing only the suspected issuer certificate and then pass
that as the trusted certificate collection to the certificate verify
function.
One more question:
Given a certificate and trust store, openSSL's verify utility
currently returns OK in case the verification was successful. Is there
a way in which I can retrieve the formed and verified chain of
certificates back?
I sure hope so, as it is very useful on the client side to decide which
certificates to provide to the other end.
--
Ashok
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org