> On Dec 11, 2017, at 5:06 PM, Dr. Pala <direc...@openca.org> wrote: > > Hi all, > > I am trying to verify a certificate and provide the possibility to directly > trust an intermediate CA's certificate (not self-signed). After setting up > the STORE and STORE_CTX and add the intermediate CA to the trusted > certificates, when I use the "X509_verify_cert(ctx)" I get the usual "unable > to get issuer certificate" - which would be fine for a "non-trusted" cert, > but I would expect that to not be an issue for a trusted certificate. > > Therefore, my question is what is the best method to have that behavior ? > > I tried to use the certificate callback to do that, but there is no function > to get the trusted certificates' stack (i.e., there is a > X509_STORE_CTX_get0_untrusted() but there is no equivalent for the trusted > certificates' stack) - so I could not verify if the current certificate (in > the verify callback call) is in the trusted stack or not... > > Maybe there are flags / trust settings that can be used instead ?
It seems we've neglected to document the X509_V_FLAG_PARTIAL_CHAIN flag, which can be passed to X509_VERIFY_PARAM_set_flags() to permit intermediate trust-anchors. https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_set_flags.html https://www.openssl.org/docs/man1.1.0/crypto/X509_VERIFY_PARAM_set_flags.html -- -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
