Hi Using OpenSSL-0.9.7b.
We are building an application where we want to have a flexible model for certificate trust. In essence, we want to be able to say: CA0 (self signed) is explicitly trusted CA1 (signed by CA0) is explicitly trusted CA2 (signed by CA1) is neutral Leaf cert 1 (signed by CA2) is explicitly distrusted Leaf cert 2 (signed by CA2) is neutral Should we attempt to verify Leaf cert 1, this should fail immediately, since it is explicitly distrusted. Verification for Leaf cert 2 should proceed all the way up to CA1 before a verdict can be delivered. CA0 validity should not be verified at all. In other words, we would like to cut the verification short at CA1. In a more realistic example, we would like to mark the Leaf cert as explicitly trusted, and verification should not consider checking the root ca, regardless of its trust setting, revocation status etc. Why would we want to do this? Consider for instance a case where we don't generally trust a particular CA, but we do trust a subset of its issued leaf certificates. Anyway, leaf and CA certificates and our extra attributes are stored in a database, and we have a custom X509_LOOKUP method to look them up. During chain validation, these extra attributes are held in a cache available through the X509_STORE ex_data member, and we can look them up given the corresponding X509. I've tried to override the check_issued method, and faking a positive response when reaching a certificate with an explicit (dis-)trust attribute, but this approach fails somehow in other parts of the chain verification and built-in trust verification. My question boils down to this: What is the normal way to make a chain verification terminate at a certificate that is not self-signed (even though there might be such certificates present in an incoming S/MIME message that we are verifying). Thanks in advance for any pointers or help. Mats Nilsson ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
