Re: OpenSSL API which build the chain from a peer certificate
First of all thanks for all of your suggestions and information.I got a
clear idea of how to do the required thing.
I forgot to mention one thing.
We are making one library for certificate management which will be used by
different applications.In that library we have one API which will verify the
certificate given as input parameter.So i don't have any SSL context or SSL
STORE context with me.Just application passes one certificate in X509 * and
i have to verify that certificate.I think you got my point.My library
doesn't have any touch with SSL session etc.......
Now to verify that certificate i have to prepare a certificate chain from
the application supplied certificate.Is it possible to do this ?
Thanks once again to all,
On Thu, Nov 6, 2008 at 8:21 PM, Patrick Patterson <email@example.com[color=blue]
> Hi Aravind:
> On November 6, 2008 01:51:20 am Aravinda babu wrote:[color=green]
> > Hi all,
> > Is there any OpenSSL API which will prepare the certificate chain from[/color]
> > peer certificate given as input ????????? I have only peer certificate.I
> > have to build the cert chain from this ....
> This was already answered yesterday - the answer is: If you want to use
> OpenSSL, then it can be done in the _verify() callbacks. There are many
> examples out there that may give you an idea of how to do this.
> There are also other libraries and systems that already have this work done
> for you, and you just have to call that library's callback in the
> place in your code (usually in the set verify callback section).
> Please take a look at the messages from yesterday. Is there a single API
> that will do this? - no. And depending on what you mean by "prepare a
> certificate chain", you will have different requirements. If you want to do
> full Path Discovery and Validation (build the certification chain back to a
> pre-established trust anchor, using certificates that you may or may not
> already have, and verify and validate each link in that chain using the
> algorithms from PKIX) then something like the Pathfinder callback (I won't
> link to it again, please check the previous post) is what you want. If you
> only want to check the signatures and perform some cursory checks, then the
> existing OpenSSL API's have this covered. If you want to know how to write
> that code, then I would suggest picking up the O'Rilley OpenSSL book, or
> looking at the code in the OpenSSL source tree - there are many examples in
> there already that may do what you want.
> Or, you could hire someone to do the integration for you. :)
> Have fun.
> Patrick Patterson
> President and Chief PKI Architect,
> Carillon Information Security Inc.
> OpenSSL Project [url]http://www.openssl.org[/url]
> User Support Mailing List [email]firstname.lastname@example.org[/email]
> Automated List Manager [email]email@example.com[/email]