Certificat & CRL verification chain by callback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I understand that, when I want to verify a certificat, I need to load 
the X509_STORE_CTX
with all the certificats and CRLs needed by the chain verification (like 
the command
openssl verify -CApath -CAfile ...)

But, given a certificat to verify, I want to be called back to go up 
into the chain verification
until the root CA. And at eatch step, certificat and revocation list are 
verified.

My job is to provide at eatch step what is needed in PEM format into an 
allocated char *

I tried to use X509_LOOKUP.get_by_subject() but I am only requested on 
certificats in the chain,
not on CRL.

I found the TOMCAT source sslutils.c that do the job on peer, but I 
didn't find such function in
the openssl API outside peer.

With such callback verifier, you can download certificats and CRLs from 
files, from directories,
from LDAP, from HTTPS, as you want.

Do you understand ?

Thanks for reply.

Gratefully.

Fabrice JACQUET

Le 16.06.2015 17:29, Viktor Dukhovni a ?crit :
> On Tue, Jun 16, 2015 at 04:38:16PM +0200, Fabrice wrote:
>
>> I explain :
>>
>> I would like a function like this :
>>
>> int X509_verify(const char *certPem, void *who, char *(*whatYouWant)(void
>> *who, int type, const X509_NAME *subject, const X509_NAME *issuer))
>>
>> where :
>>
>> <certPem> : is a certificat in PEM format to verify
>> <who> : is an instance of a class
>> whatYouWant : is a method of <who> that can find <type> (certificat
>> X509_LU_X509, CRL X509_LU_CRL)
>> with the <subject> and eventually the <issuer>
>>
>> this function would callback <who> on <whatYouWant> until the root CA of
>> <certPem> and do the appropriates verifications on intermediate
>> certificats and CRLs, and return 0 succes, other error.
>>
>> Is there any solution to do so with the current version of openssl API
>> otherwise how can i do ?
> This is surely not really what you want, it is a means to an end,
> and you have not explained your *real* goal.  What actual problem
> are you trying to solve.
>
> What would such a feature enable you to do?  Are you verifying TLS
> peers (client or servers), signatures of CMS/SMIME messages, ...
> What additional checks are you looking to do beyond the standard
> certificate chain verification.
>



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux