On Mon, Jun 02, 2003, Wu Junwei wrote:
> Hi,all
>
> I have a question about the certificate verifying.
> I know OpenSSL has provided the X509_verify_cert() to do this function.
> And I should use X509_STORE_CTX_init() to do the initialization work.
> But I now have only the certificates stack and no store exists.
>
> So can I use X509_STORE_CTX_init(&ctx, NULL, signer, bs->certs) to do the
> initialization work?
> Is there any problem if I use NULL to take the place of store ?
>
Yes only one problem: it wont work :-)
The certificate STACK in that function supplies a set of untrusted
certificates which will be used in path building, for example intermediate
CAs.
The X509_STORE contains a set of trusted CAs.
For a verify to work at least one trusted CA must be in the path, so if you
have no trusted CAs it wont verify.
Actually it might crash is X509_STORE is NULL...
> And should I call this function in x509_vfy.c ?
>
> /* Set alternative lookup method: just a STACK of trusted certificates.
> * This avoids X509_STORE nastiness where it isn't needed.
> */
> void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
> {
> ctx->other_ctx = sk;
> ctx->get_issuer = get_issuer_sk;
> }
>
Yes, that function is probably the best to use.
Alternatively you can add the certifictes one at a time to an X509_STORE using
X509_STORE_add_cert().
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
