On 16/06/2015 16:38, Fabrice wrote: > Hello, > > I explain : > > I would like a function like this : > > int X509_verify(const char *certPem, void *who, char > *(*whatYouWant)(void *who, int type, const X509_NAME *subject, const > X509_NAME *issuer)) > > where : > > <certPem> : is a certificat in PEM format to verify > <who> : is an instance of a class > whatYouWant : is a method of <who> that can find <type> (certificat > X509_LU_X509, CRL X509_LU_CRL) > with the <subject> and eventually the <issuer> > > this function would callback <who> on <whatYouWant> until the root CA > of <certPem> and do the appropriates verifications on intermediate > certificats and CRLs, and return 0 succes, other error. > > Is there any solution to do so with the current version of openssl API > otherwise how can i do ? > Regardless of the question raised by Mr. Dukhovni, I believe the closest thing would be the following: 1. Create an empty X509_STORE object which will hold the answers returned by "whatYouWant". 2. In the X509_STORE object, set up the method callbacks that are normally used to search "/etc/ssl/certificates" based in subject hashes to instead end up in your own whatYouWant callback. This may go beyond documented interfaces, requiring you to study the OpenSSL source code. 3. Pass this X509_STORE object to the general X509 verification functions. Of cause, in many cases, it would be easier to just: 1. Create an empty X509_STORE object. 2. Load your own sources of certificates and CRLs into this store. 3. Pass this X509_STORE object to the general X509 verification functions. One case handled by neither your callback argument list, nor by the second method is the technique promoted by Microsoft, where the certificates are sometimes downloaded on the fly from URLs specified in the AIA extension in the certificate being validated, and the classic privacy- enhanced checking where missing/outdated CRLs are downloaded from URLs specified in other extensions (there are 2 possibilities) in the certificate being validated (the surveillance-happy method is to use OCSP). -- Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150616/91096ecd/attachment.html>
