Hi, I need to encrypt CMS and, to do so, verify the certificat chain. All the certificats and CRLs are downloaded from a LDAP repository. But, I want to reuse the certificat chain verification, whatever is the origin of certificats and CRLs in the chain (database, files, LDAP, HTTP), because some others applications don't use a LDAP repository. The X509 pieces location are known by the caller. It provides them on the fly if possible. I noticed the X509_STORE lookup_certs() and lookup_crls() methods but I dont known if they could satisfy my need. I studied the sources crypto/x509/by_file.c and by_dir.c to learn how I can do, but I dont achieve in my goal. Thanks for help. Gratefully, Fabrice JACQUET Le 16.06.2015 22:02, Viktor Dukhovni a ?crit : > On Tue, Jun 16, 2015 at 05:51:34PM +0200, Fabrice wrote: > >> I understand that, when I want to verify a certificate, I need to load the >> X509_STORE_CTX with all the certificats and CRLs needed by the chain verification >> (like the command openssl verify -CApath -CAfile ...) > What is the context for this? Why are you verifying certificates > (really certificate chains I hope) at all? What protocol are you > securing? > >> But, given a certificate to verify, I want to be called back to go up into >> the chain verification until the root CA. And at each step, certificate >> and revocation list are verified. > This is not at all clear. What extra verification are you looking > to do? > > Are you perhaps looking for X509_STORE_CTX_set_verify_cb()? This > is the underlying libcrypto mechanism that supports SSL_CTX_set_verify(). > > >> My job is to provide at each step what is needed in PEM format into an >> allocated char * > Forget the PEM format detail, all the various formats are > inter-convertible, that's not important. > >> I tried to use X509_LOOKUP.get_by_subject() but I am only requested on >> certificats in the chain, not on CRL. > Are you trying to provide your own store of trusted issuer certificates > and CRLs and associated access methods for the OpenSSL verification > routines to use? >
