On Wed, Mar 15, 2006, michael Dorrian wrote: > First of all thank you for your reply. I read one of your previous replies > to the following post and this seems to be what i need. > http://www.mail-archive.com/openssl-users@openssl.org/msg20673.html X509_AUX > is a "trusted certificate" format "With PEM_read_bio_X509_AUX if the > certificate is trusted then the extra data will be included." > > This returns an X509_AUX structure and i think its this auxilliary > information that i need to decide whether the certificate is from a > trusted authority or not. I don't know how to extract this information > though. At the moment i get my X509 structure using > SSL_get_peer_certificate(). I need to use this in order to get the server > certificate. Then i extract the information held within this certificate > using X509_NAME_print_ex() following your previous advice. How would i go > about getting this extra information that i need. >
Not that isn't what you need. That is something else entirely. It is analagous to the browser trust settings which restrict the purposes a CA can be used for. By definition the CA has to be trusted before those are set. Back to your original query. A browser doesn't do anything magic to determine if a certifcate comes from a trusted CA. It contains a list of trusted root CAs internally and checks against those. OpenSSL does the same thing except it doesn't come with a pre-loaded set of trusted CAs you have to set them yourself. If you don't want to load them from a file you can use the SSL_CTX_get_store() and X509_STORE_add_cert() as I indicated. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
