Re: OpenSSL API which build the chain from a peer certificate
On November 7, 2008 06:08:19 am Aravinda babu wrote:[color=blue]
> Hi all,
> First of all thanks for all of your suggestions and information.I got a
> clear idea of how to do the required thing.
> I forgot to mention one thing.
> We are making one library for certificate management which will be used by
> different applications.In that library we have one API which will verify
> the certificate given as input parameter.So i don't have any SSL context or
> SSL STORE context with me.Just application passes one certificate in X509 *
> and i have to verify that certificate.I think you got my point.My library
> doesn't have any touch with SSL session etc.......
> Now to verify that certificate i have to prepare a certificate chain from
> the application supplied certificate.Is it possible to do this ?
Yes - it is - that is exactly what Pathfinder does - it just takes a
certificate from the SSL and/or X509_verify callback (also works with
Netscape Security Services). As I said in my previous email, you may want to
look at using that, given it is a rather difficult task, so instead of
re-inventing the wheel, you may want to re-use the code that we have in
Pathfinder. It is licensed under the LGPL with an OpenSSL permissive clause,
so even if you want to include the code in a proprietary application, that
shouldn't cause you any problems.
If you want to discuss this more, please contact me off-list.
President and Chief PKI Architect,
Carillon Information Security Inc.
OpenSSL Project [url]http://www.openssl.org[/url]
User Support Mailing List [email]email@example.com[/email]
Automated List Manager [email]firstname.lastname@example.org[/email]