Hi all,
My question is mainly about X509 stores and certificate lookups.
I was developing an HTTP client on Windows2000 using OpenSSL.
To use windows certificate stores in my program, I used the Windows Crypto
API to enumerate through all root CAs and trusted CAs, converting them to
X509 format, and add them to an X509 store. Everything worked fine until the
beginning of this year.
Our certificate expired on the new year, so we renewd it. Supposed it should
be pointing to the right issuer automatically but it's not. OpenSSL is
always complaining that "Class 3 Public Primary Certification Authority"
expired. There are 2 certificates with exactly the same DName in windows
cert store. One expired on Jan. 8th, 2004 and the other expires on Feb. 8th,
2028. I took a stack trace and found that X509_STORE_CTX_get1_issuer() was
always stopping at the first CA and reporting a match.
Moreover, when my cert verify callback function was called, the cert chain
had already been build and current cert had already been checked. The only
thing I can do is to record the errors and answer "Yes" or "No"(I always
answer yes to continue with verification and collect error codes). So it
appears to me as if there is no way to override it with a lookup-and-verify
process.
However Windows will not stick on the first CA, it will use the 2nd CA
automatically.
Can anybody tell me if it's right to have several CAs with the same name in
a cert store? Is there any solution to this problem?
Thanks a lot.
Lei
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
