I have a certificate that needs validating. I have a single CA that provides trust. Both certs are existing X509 objects.
Using sequence of:
X509_STORE_CTX cert_ctx;
X509_STORE * trust = X509_STORE_new();
(load CA into trust)
X509_STORE_CTX_init(&cert_ctx, trust, cert, intermediates);
X509_verify_cert(&cert_ctx);
If I load the certificate using this:
BIO * bio = BIO_new_mem_buf(pem_data, pem_len);
X509 * cert = PEM_read_bio_X509_AUX(bio, 0, 0, 0);
X509_STORE_add_cert(trust, cert)
The X509_verify_cert() fails. If I load the certificate using
X509_LOOKUP * lookup = X509_STORE_add_lookup(trust,X509_LOOKUP_file());
X509_LOOKUP_load_file(lookup, "..path..",X509_FILETYPE_PEM));
Where 'path' points to the file with the exact same contents, then X509_verify_cert() succeeds.
Is there a way to add a cert to the trust store as an anchor, without using lookup functions? I'm using openssl 1.0.1 if it matters
For anybody who ever runs into this problem.
X509_STORE_add_cert() is perfectly fine for adding the certificates as trusted into the store. It's also perfectly fine to use such store as a trust anchor list for verifying certificates and certificate chains.
When things don't work, double- and triple-check that you provided proper roots. In my case, the actual certificate that was added to the store was not the root (but it was referenced correctly when it was loaded directly from a file using X509_LOOKUP_load_file function).