Re: How to find correct issuer certificate in multi-level hierarchy?

Thu, 02 Aug 2012 15:00:21 -0700 

On Thu, Aug 02, 2012, Ashok C wrote:

> Hi,
> 
> Is there a way in which I can determine the correct issuer certificate of
> an issued certificate(either intermediate CA or end entity) based on
> comparing immediate pair alone.
> Eg:
> My hierarchy is like this:
> 
> Root
> Intermediate CA 1
> Intermediate CA 2
> End entity
> 
> Is it possible to determine that Intermediate CA2 is the issuer of the End
> entity certificate without having to traverse the full hierarchy?
> 
> I do not want to depend upon issuername-subjectname comparisons alone(As
> this is not deterministic and conclusive).
> I do not want to depend upon Authority Key Identifier /Subject Key
> Identifier's keyId fields(As most CAs seem to not have this extension at
> all)
> 
> Basically I want some signature check method from openSSL can take two
> certificates as input and tell me if one has issued the other:
> 
> int openSSL_signature_check(X509* issuer_certificate, X509*
> issued_certificate)
> {
>     int return_code = signature_check(issuer_certificate,
> issued_certificate)
>         if (0 == return_code)
>             return YES_ISSUER_IS_CORRECT;
>        else
>             return NO_ISSUER_IS_NOT_CORRECT;
> }
> 
> Is something like this already available in openSSL?
> 

You can use the function X509_verify to do this but you have to extract the
public key from the issuer using X509_get_pubkey.

> One more question:
> Given a certificate and trust store, openSSL's verify utility currently
> returns OK in case the verification was successful. Is there a way in which
> I can retrieve the formed and verified chain of certificates back?
> 

There isn't a command line option to do this but the API call
X509_STORE_CTX_get1_chain will retrieve the chain from an X509_STORE_CTX
structure.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to