> From: owner-openssl-us...@openssl.org On Behalf Of Nou Dadoun
> Sent: Friday, 21 September, 2012 15:29
> Just wanted to confirm an assumption, I've got 3 x509 certificates:
>
> Root --> intermediate --> leaf
>
> I load the intermediate certificate (but not the Root
> certificate) into the x509_store and set up the verify_ctx to
> verify the leaf certificate.
>
> I then use the "X509_verify_cert(verify_ctx)" function for
> verification but the associated callback reports that the
> verification fails (i.e. ok == 0) with an error of 2 ("unable
> to get issuer certificate").
>
> I assume that if I load the intermediate as a CA that I don't
> have to provide the Root to verify the leaf (i.e. I'm stating
> that I trust the intermediate as the CA). Is this correct?
> Does the Root also need to be loaded?
>
No and sort-of. OpenSSL's cert_verify logic always checks to
the root, even if an intermediate cert is in the truststore.
Unlike some other implementations/applications. It's arguable
if this is the best way, but it has been this way since at least
0.9.7, and I wouldn't hold my breath expecting a change soon.
The full chain including root needs to be *available from*
the X509_STORE. This can be accomplished by having them loaded,
or by having a method that finds them dynamically -- like
the by_dir method invoked by commandline for -CApath .
> This setup certainly works with 2 certs (i.e. Root --> Leaf)
> but I'm retrieving the certs using the windows crypto api so
> I want to make sure that my openssl verify assumption is
> correct before trying to run down the windows stuff.
>
> Anybody know offhand? Thanks .. N
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
