On Tue, Jun 16, 2015 at 05:51:34PM +0200, Fabrice wrote: > I understand that, when I want to verify a certificate, I need to load the > X509_STORE_CTX with all the certificats and CRLs needed by the chain verification > (like the command openssl verify -CApath -CAfile ...) What is the context for this? Why are you verifying certificates (really certificate chains I hope) at all? What protocol are you securing? > But, given a certificate to verify, I want to be called back to go up into > the chain verification until the root CA. And at each step, certificate > and revocation list are verified. This is not at all clear. What extra verification are you looking to do? Are you perhaps looking for X509_STORE_CTX_set_verify_cb()? This is the underlying libcrypto mechanism that supports SSL_CTX_set_verify(). > My job is to provide at each step what is needed in PEM format into an > allocated char * Forget the PEM format detail, all the various formats are inter-convertible, that's not important. > I tried to use X509_LOOKUP.get_by_subject() but I am only requested on > certificats in the chain, not on CRL. Are you trying to provide your own store of trusted issuer certificates and CRLs and associated access methods for the OpenSSL verification routines to use? -- Viktor.
