On Fri, Jul 25, 2003, Wu Junwei wrote: > Hi,all > > I have a question on certificate verifying. > In X509_verify_cert(), after checking the prupose (my understanding is to > check the extension of the V3 certificate), > it checks the so-called trust : > > if (ctx->trust > 0) ok = check_trust(ctx); > > I do not understand what is this used for? > Why only does the check_trust() when ctx->trust > 0 ? > >
Its allows restrictions on how a CA is trusted. These can be edited with the 'x509 ' utility and there's some documentation associated with it in the verify manual page. ctx->trust and the associated functions are how this is implemented 'under the hood'. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
