Hello, I understand that, when I want to verify a certificat, I need to load the X509_STORE_CTX with all the certificats and CRLs needed by the chain verification (like the command openssl verify -CApath -CAfile ...) But, given a certificat to verify, I want to be called back to go up into the chain verification until the root CA. And at eatch step, certificat and revocation list are verified. My job is to provide at eatch step what is needed in PEM format into an allocated char * I tried to use X509_LOOKUP.get_by_subject() but I am only requested on certificats in the chain, not on CRL. I found the TOMCAT source sslutils.c that do the job on peer, but I didn't find such function in the openssl API outside peer. With such callback verifier, you can download certificats and CRLs from files, from directories, from LDAP, from HTTPS, as you want. Do you understand ? Thanks for reply. Gratefully. Fabrice JACQUET Le 16.06.2015 17:29, Viktor Dukhovni a ?crit : > On Tue, Jun 16, 2015 at 04:38:16PM +0200, Fabrice wrote: > >> I explain : >> >> I would like a function like this : >> >> int X509_verify(const char *certPem, void *who, char *(*whatYouWant)(void >> *who, int type, const X509_NAME *subject, const X509_NAME *issuer)) >> >> where : >> >> <certPem> : is a certificat in PEM format to verify >> <who> : is an instance of a class >> whatYouWant : is a method of <who> that can find <type> (certificat >> X509_LU_X509, CRL X509_LU_CRL) >> with the <subject> and eventually the <issuer> >> >> this function would callback <who> on <whatYouWant> until the root CA of >> <certPem> and do the appropriates verifications on intermediate >> certificats and CRLs, and return 0 succes, other error. >> >> Is there any solution to do so with the current version of openssl API >> otherwise how can i do ? > This is surely not really what you want, it is a means to an end, > and you have not explained your *real* goal. What actual problem > are you trying to solve. > > What would such a feature enable you to do? Are you verifying TLS > peers (client or servers), signatures of CMS/SMIME messages, ... > What additional checks are you looking to do beyond the standard > certificate chain verification. >