I`m looking for a function within openssl to do the following:
an ASN.1 DER encoded sequence of certificates, defined as follows:
PkiPath ::= SEQUENCE OF Certificate
Within the sequence, the order of certificates is such that the subject of the first certificate is the issuer of the second certificate, and so on. Each certificate in PkiPath shall be unique. No certificate may appear more than once in a value of Certificate in PkiPath. The PkiPathformat is defined in defect report 279 against X.509 (2000) and is incorporated into Technical Corrigendum 1 (DTC 2) for the ITU-T Recommendation X.509 (2000). See the ITU website for details.
Is there already a function available? In fact I´d like to provide a STACK(X509)* as a parameter and get the pem or der encoded asn1 structure back.
On Jun 17, 2019, at 8:09 AM, Tobias Wolf <[hidden email]> wrote:
> there already a function available? In fact I´d like to provide a STACK(X509)* as a parameter and get the pem or der encoded asn1 structure back.
Assuming you've already assembled the list of certificates you want to encode, I think you can use the generic ASN.1 routines (see the docs in doc/man3/X509_dup.pod; I'm not sure why that's where they live) to define the encoded structure of the PkiPath; and use the ASN1_SEQUENCE_OF macro in that definition. See also the "asn1t.h" header.
I don't remember how to actually do this, but perhaps this will point you in a useful direction.
On Jun 17, 2019, at 11:35 PM, Tobias Wolf <[hidden email]> wrote:
> The specification said about sorting and providing the pki path in correct order.
Ah, I thought you were asking about producing the correct DER representation, not assembling the list of certs.
In that case, take a look at the documentation for X509_verify_cert() and X509_STORE_add_cert() (also see X509_STORE_CTX_init(), X509_VERIFY_PARAM_*(), X509_STORE_CTX_get*_chain()). This will discover and validate a trust chain from a specified certificate to any of a set of trust anchors, via a set of possible intermediate certificates. The resulting chain should be ordered properly (you may need to reverse the order). If you don't want to spend the extra time verifying signatures and constraints and so on, you might be able to turn that off by setting some options.
I think the X509_STORE_add_cert() manpage has the most comprehensible description of how these pieces fit together.