>From: owner-openssl-us...@openssl.org On Behalf Of miles.zh...@aliyun-inc.com >Sent: Thursday, 20 December, 2012 22:10
>I want to load a certs chain from memory ( ie. From a std::string variable >with the certs chain's content loading from the mysql db ). >The content of certs chain is like a CAfile. Not entirely. Both are a sequence of certs, but the certs in a chain should be related and those in a trustore mostly should not. Also an openssl CAfile or use_chain_file must be PEM, but other chain storage (like pkcs7) need not -- but if you're going to put it in a std::string, and maybe store as varchar or text in db, you probably do want PEM. >Because loading from memory, can not call the "SSL_CTX_load_verify_locations" api. >So I call "SSL_CTX_add_extra_chain_cert" instead of "SSL_CTX_load_verify_locations", >but "SSL_CTX_add_extra_chain_cert" only load the first cert in the chain, not all of them. You can call add_extra_chain_cert more than once. The problem is your code only *reads* the first cert in the sequence. >And I can't get the number of certs in a chain. The content of chain >is uploaded from webpage. >Following is the demo code: <snip> What you need to do is parse each cert and call add_extra_chain_cert. If the data is a sequence of PEM-format certs, just create a memBIO with the whole thing and then loop PEM_read_bio'ing from there until it returns failure. If you want to know how many certs there are, keep a counter of the number of times the loop executes. Google "openssl certificate chain memory buffer" the first hit is false (it's about *one* cert in memory, but has "related" links about chains), but 2 4 and 5 are all a similar question from Aravind GJ, and answer by me with (minimal) code, last year on this list. (It should also be possible to search the list archives directly, but I never bother.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
