Re: Working inside X509_STORE_CTX using verification callbacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 25, 2019 at 07:05:59PM +0000, Michael Wojcik wrote:

> Simon may correct me on this, and it may not be useful anyway; but if
> memory serves, it's currently being used to set the issuer on one invocation
> of the callback, so that on subsequent invocations for the same certificate
> the callback will see the desired issuer.

The "verify callback" is called for each error during chain
construction that does not cause immediate failure, and then, once
the chain is built, for each layer in the chain starting with the
trust-anchor reporting success or any signature or expiration issues.
This final pass sets the current issuer for inspection.

I would not expect the "verify callback" to construct an alternate
chain, for that, with SSL one would need to instead use
SSL_CTX_set_cert_verify_callback(3), which side-steps the entirety
of the built-in chain construction and verification process.  With
that you do whatever you want, but if you then want to also run the
normal verify callbacks from your own chain construction code,
then perhaps you might need an accessor to set the (read-only
from the perspective of those callbacks) issuer_cert.

-- 
	Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux