Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Loading a stack of trusted CAs

1 view
Skip to first unread message

Austin Krauss

unread,
Feb 21, 2003, 11:33:04 AM2/21/03
to
This is a multi-part message in MIME format.

------=_NextPart_000_0023_01C2D99C.DB15F4D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello all, I've used the PKCS12_parse( ) function to obtain a stack of =
CA certificates from a PKCS12 buffer. Now I'd like to load these =
certificates as trusted CAs in my SSL_CTX object. My first attempt at =
this goes something like:

/* And add the CAs to our trusted stack */
cert_store =3D SSL_CTX_get_cert_store(ctx);
X509_STORE_CTX_trusted_stack(cert_store, ca);

However, I don't think this is correct and I don't think I fully =
understand the relationship between an X509_STORE and an X509_STORE_CTX. =
Any suggestions?

Thanks,

Austin
------=_NextPart_000_0023_01C2D99C.DB15F4D0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1141" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello all, I've used the PKCS12_parse( =
) function=20
to obtain a stack of CA certificates from a PKCS12 buffer. Now I'd like =
to load=20
these certificates as trusted CAs in my SSL_CTX object. My first attempt =
at this=20
goes something like:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp; /* And add the CAs to our =
trusted stack=20
*/<BR>&nbsp; cert_store =3D SSL_CTX_get_cert_store(ctx);<BR>&nbsp;=20
X509_STORE_CTX_trusted_stack(cert_store, ca);<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>However, I don't think this is correct =
and I don't=20
think I fully understand the relationship between an X509_STORE and an=20
X509_STORE_CTX. Any suggestions?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Thanks,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Austin</DIV></FONT></BODY></HTML>

------=_NextPart_000_0023_01C2D99C.DB15F4D0--

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Dr. Stephen Henson

unread,
Feb 21, 2003, 11:47:06 AM2/21/03
to
On Fri, Feb 21, 2003, Austin Krauss wrote:

> Hello all, I've used the PKCS12_parse( ) function to obtain a stack of CA certificates from a PKCS12 buffer. Now I'd like to load these certificates as trusted CAs in my SSL_CTX object. My first attempt at this goes something like:


>
> /* And add the CAs to our trusted stack */

> cert_store = SSL_CTX_get_cert_store(ctx);
> X509_STORE_CTX_trusted_stack(cert_store, ca);
>
> However, I don't think this is correct and I don't think I fully understand the relationship between an X509_STORE and an X509_STORE_CTX. Any suggestions?
>

No it isn't right. One is a X509_STORE the other X509_STORE_CTX which is
different. You don't have access to the X509_STORE_CTX used by the SSL library
in any case.

To add certs to the store call X509_STORE_add_cert() for every certificate in
the STACK.

Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: she...@drh-consultancy.demon.co.uk, PGP key: via homepage.

0 new messages