Re: Verifying certificate was signed by a trusted Authority

Wed, 15 Mar 2006 20:17:31 -0800

So if what you are saying is true then i could call myself the same name as a trusted CA authority when making my root CA and the browser will think i am a trusted CA. Is that correct?.  It seems too simple to be true.....

"Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
On Wed, Mar 15, 2006, michael Dorrian wrote:

> First of all thank you for your reply. I read one of your previous replies
> to the following post and this seems to be what i need.
> http://www.mail-archive.com/openssl-users@openssl.org/msg20673.html X509_AUX
> is a "trusted certificate" format "With PEM_read_bio_X509_AUX if the
> certificate is trusted then the extra data will be included."
>
> This returns an X509_AUX structure and i think its this auxilliary
> information that i need to decide whether the certificate is from a
> trusted authority or not. I don't know how to extract this information
> though. At the moment i get my X509 structure using
> SSL_get_peer_certificate(). I need to use this in order to get the server
> certificate. Then i extract the information held within this certificate
> using X509_NAME_print_ex() following your previous advice. How would i go
> about getting this extra information that i need.
>

Not that isn't what you need. That is something else entirely. It is analagous
to the browser trust settings which restrict the purposes a CA can be used
for. By definition the CA has to be trusted before those are set.

Back to your original query. A browser doesn't do anything magic to determine
if a certifcate comes from a trusted CA. It contains a list of trusted root CAs
internally and checks against those. OpenSSL does the same thing except it
doesn't come with a pre-loaded set of trusted CAs you have to set them
yourself.

If you don't want to load them from a file you can use the SSL_CTX_get_store()
and X509_STORE_add_cert() as I indicated.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]

Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.

Reply via email to