Suppose I want to verify a certificate, and I've collected some CRLs and some OCSP responses. How can I do that? If I just want to verify revocation for the end certificate (so X509_V_FLAG_CRL_CHECK rather than X509_V_FLAG_CRL_CHECK_ALL) then that's straightforward: I use X509_verify_cert without those settings and then do the OCSP check for the end certificate. But how can I check the whole chain, using some mixture of CRLs and OCSP? It looks like I can use verify_cb and perform my own checks when the error is X509_V_ERR_UNABLE_TO_GET_CRL. I think really what I'd want is to have some more low-level callback used in check_cert or check_revocation, but I don't see one. In 1.0.2 I'm just changing check_revocation (since ) but in order to keep the usual CRL checking that involved basically copying check_cert and a bunch of related functions with small changes to one or two of them (because they're mostly static so I can't just call them). In OpenSSL-1.1 that doesn't look so attractive (and it's not terribly pretty with 1.0.2) because the code accesses things in X509 and X509_CRL that aren't accessible. Am I missing something obvious? Does the TLS code do this in some way? (It doesn't look like it does, but possibly I'm just missing it.)
