> On May 3, 2017, at 5:58 AM, john gloster <[email protected]> wrote: > > Hi, > > I needed to validate different extensions of each of the Issuer certificate > in the chain. > > Snippet rom https://linux.die.net/man/3/ssl_set_verify: > > "The certificate chain is checked starting with the deepest nesting level > (the root CA certificate) and worked upward to the peer's certificate. At > each level signatures and issuer attributes are checked. " > > When we say "issuer attributes", could someone let me know what different > stuffs in the CA certificate are validated?
For the full verification process see: https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L208 which happens after checking that the peer's key meets the required security level at: https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L286 The specific chain checks you may be thinking of are: https://github.com/openssl/openssl/blob/f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2/crypto/x509/x509_vfy.c#L448 -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
