On 10/25/2018 3:20 PM, Martin Galvan via curl-library wrote:
> When using the CURLINFO_CERTINFO, the documentation says that a struct
> curl_certinfo gets populated with the peer's certificate chain, and
> the certs are accessible through the 'certinfo' member, which is an
> array. I'm wondering whether this array is "ordered", in that
> certinfo[num_of_certs -1] would return the top cert in the chain (be
> it the root cert or the last intermediate). If not, what would be a
> good way to detect which cert is the top, other than sorting them by
> Subject/Issuer?

I haven't checked all the backends so it might be implementation
specific, but I'll speak to OpenSSL. In openssl.c
SSL_get_peer_cert_chain is used to get the certinfo and according to
OpenSSL doc it "returns the peer chain as sent by the peer" [1][2].
Since the RFC requires the peer's cert first and "each following
certificate MUST directly certify the one preceding it" we can assume
there's order. Therefore I think you'd be right about the ordering in
*typical* cases but nothing is guaranteed.

[1]: https://github.com/curl/curl/blob/curl-7_61_1/lib/vtls/openssl.c#L2914
[2]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_peer_cert_chain.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-10-25