Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

C++/OpenSSL: Use root CA from buffer rather than file (SSL_CTX_load_verify_locations)

I am using OpenSSL to verify a server's certificate. Since OpenSSL is shipped without any built-in root CAs, we must distribute the root CA certificate ourselves with our software (we statically-link OpenSSL). Ordinarily, the way to do this is to distribute a certificate file in PEM format and call SSL_CTX_load_verify_locations.

However, this function takes a file/directory path and reads the root certificate file(s) directly from the filesystem. We would really like to be able to hard-code the certificate into our binary instead of saving it to the filesystem.

In other words, we would really like to have a function like SSL_CTX_load_verify_locations that takes an X509* instead of a file-path.

Does something like this exist? or is there an easy way to hack it together ourselves? We can't seem to find much information about this.

Thank you very much for any suggestions!

like image 609
DSII Avatar asked Feb 19 '11 18:02

DSII


1 Answers

The function SSL_CTX_get_cert_store() can be used to get a handle to the certificate store used for verification (X509_STORE *), and the X509_STORE_add_cert() function (in openssl/x509_vfy.h) can then be used to add a certificate directly to that certificate store.

like image 200
caf Avatar answered Oct 10 '22 19:10

caf