Hi,
I was facing a problem when adding OCSP verification to existing TLS cert verification mechanism.
We register a callback of the form
int ocsp_status_response_cb(SSL *, void *) via
SSL_CTX_set_tlsext_status_cb()
My intention is to call the certificate verification function callback as a normal function inside the OCSP callback (the reason why this is done is due to a separate issue with callback ordering)
The certificate verification function is set through
SSL_CTX_set_cert_verify_cb(), and the callback is of the form
int (*cert_verify_cb) (X509_STORE_CTX *, void *)
So to be able to call this inside the OCSP callback, I'd need to reconstruct the
X509_STORE_CTX argument. I'm not very familiar with openssl internals, so forgive me if this is silly.
1)Is it conceptually right to do so?
2)Is it possible to construct x509_store_ctx from ssl?
3)I could extract the peer cert chain from SSL through SSL_get_peer_cert_stack() and create a x509_store_ctx. But this wouldn't be identical to how it's created originally and might lack information. If it's correct to do so and possible, what's the right method to create it?
Do you see any alternative to overall approach?
(For the original problem, please have a look at thread named "Stapled OCSP Response")
Any leads would be helpful
Thanks
Akshath
