On Tue, Oct 25, 2005, David Brock wrote: > Using X509_verify is there a way (programmatically) to tell if the > certificate verification failed because of an unknown CA versus a > corrupted certificate? >
Depends on how the certificate is corrupted. Some kinds of corruption will be trapped by the ASN1 parser and so this wont even reach the vertification routines. Most other forms of corruption wil cause the signature check to fail. Some unlikely ones could corrupt the certificate subject name while still remaining valid ASN1. Those would themselves produce an unknown CA error. That aside the verification failure reason is sufficient to tell the difference. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
