Certificat & CRL verification chain by callback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 16, 2015 at 05:51:34PM +0200, Fabrice wrote:

> I understand that, when I want to verify a certificate, I need to load the
> X509_STORE_CTX with all the certificats and CRLs needed by the chain verification
> (like the command openssl verify -CApath -CAfile ...)

What is the context for this?  Why are you verifying certificates
(really certificate chains I hope) at all?  What protocol are you
securing?

> But, given a certificate to verify, I want to be called back to go up into
> the chain verification until the root CA. And at each step, certificate
> and revocation list are verified.

This is not at all clear.  What extra verification are you looking
to do?

Are you perhaps looking for X509_STORE_CTX_set_verify_cb()? This
is the underlying libcrypto mechanism that supports SSL_CTX_set_verify().


> My job is to provide at each step what is needed in PEM format into an
> allocated char *

Forget the PEM format detail, all the various formats are
inter-convertible, that's not important.

> I tried to use X509_LOOKUP.get_by_subject() but I am only requested on
> certificats in the chain, not on CRL.

Are you trying to provide your own store of trusted issuer certificates
and CRLs and associated access methods for the OpenSSL verification
routines to use?

-- 
	Viktor.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux