Hi. We have a database in which we store certificates for our collaborating peers. This allows us to quite efficiently retrieve peer certificates based on issuer and serial number, and we have implemented a X509_LOOKUP_METHOD to do this. The idea was that PKCS7_verify would drive this X509_STORE to lookup the certificates it needed, for instance if the signing certificates were omitted in the PKCS7 file.
However, the 'store' parameter in the call to PKCS7_verify is not used to lookup peer certificates, only to find certificates during chain verification. It seems that one should use the 'STACK_OF(X509) *other' parameter to pass in peer certificates. This is a solution that we're not entirely happy with, since it requires us to retrieve all of a peer's certificates when only one certificate is needed. Does anyone see a problem with modifying PKCS7_verify to also query the 'store' for a proper client certificate before looking through the 'other' list? Best Regards, Mats Nilsson ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
