This is a follow-up to my "Trust *only* certs signed by an intermediate CA" thread. I'm ready to try my hand at writing a validation callback function, and this function will need to somehow distinguish between two different sets of CA certificates -- "validation-only" CAs that are used only to validate certificate chains and "authorized" CAs whose signees are actually allowed to connect.
Does OpenSSL offer any APIs that can help with this? I see a lot of references to STACK_OF(X509) and X509_STORE in the headers, but I haven't been able to find any real documentation on these types. Tasks that I need to perform include: * Load a set of certificates from a file. * Add a loaded set of certificates to an SSL_CTX. * Efficiently determine if a certificate is a member of a set. Thanks! -- ======================================================================== Ian Pilcher arequip...@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. ======================================================================== ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
