Hi Victor,
On 12/11/17 4:18 PM, Viktor Dukhovni wrote:
[...]
Perhaps you ended up creating a parameter structure with a
depth limit that's too small. Just configuring partial
chains will never yield a chain that is longer than it
otherwise would be. In fact you generally get shorter
chains. So, no this is not a result of using the
new flag, but may be a result of how you're going about
setting the flag.
I actually do not set anything but the flag in the verify parameter,
that is (error checking removed for clarity):
param = X509_VERIFY_PARAM_new();
X509_STORE_CTX_set0_param(ctx, param);
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
X509_STORE_CTX_set0_trusted_stack(ctx, trustedCerts); //
trustedCerts has only the SubCA
ret = X509_verify_cert(ctx);
fprintf(stderr, "[%s:%d] ctx->error = %d (%s)\n\n", __FILE__, __LINE__,
X509_STORE_CTX_get_error(ctx),
X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)));
With this setting, I get the error.. which is the strange part as you
said (the chain can not be longer :D). Maybe the code thinks that if you
have a SubCA then you should have an additional level.. and since you do
not have it, it sends the error... ???
... any suggestion on how to fix this ? Do you think it is actually a bug ? ...
or am I missing some other configs / setting I should have done for the verify
param ?
You should obtain a reference to the existing parameters
from the context, and modify these to add the new flag.
Well.. considering the code structure, the flags should be ok (since I
just set it and then use it right away...) ???
Thanks,
Max
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
