Verify a certificate chain in STACK_OF(X509)

Question

So I have a certificate chain stored in STACK_OF(X509). This is what I did with it :

STACK_OF(X509) *chain = SSL_get_peer_cert_chain(ssl);

X509_STORE_CTX* newCert = X509_STORE_CTX_new();
if(newCert){
    X509_STORE_CTX_set_chain(newCert, chain);
    std::cout << X509_verify_cert(newCert) << std::endl;
}
std::cout << "ERROR : " << X509_STORE_CTX_get_error(newCert) << std::endl;

The issue is that the X509_verify_cert(newCert) returns -1 meaning the initialization of the X509_STORE_CTX was not down properly. What am I missing?

score 2 · Accepted Answer · edited May 23 '17 at 12:12

2

I guess, this is related to Use of STACK_OF(X509).

You shouldn't copy only half of the source code at apps/verify.c. If you look deeper, you will find, among other lines,

 286         if(!X509_STORE_CTX_init(csc,ctx,x,uchain))

edited May 23 '17 at 12:12

Community

1
1

answered Feb 13 '13 at 08:42

Olaf Dietsche

72,253
8
102
198

what does X509_STORE *store do? how to initialize that? And if I have a chain, should I really use the third parameter, an X509*? – Prasanth Madhavan Feb 13 '13 at 08:46
I need to initialize all the certificates in ssl/certs into an x509_store and then use it to verify certificates in the stack_of(x509)? – Prasanth Madhavan Feb 13 '13 at 09:01
@PrasanthMadhavan I'm not that familiar with openssl, but a quick look at the callers of `check` leads to `X509_STORE_new` and that leads to http://stackoverflow.com/q/6646841/1741542 and http://stackoverflow.com/q/2756553/1741542. I think this is not a trivial task. You need to search and experiment a bit with the verify.c source. – Olaf Dietsche Feb 13 '13 at 09:02

Verify a certificate chain in STACK_OF(X509)

1 Answers1