<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 16/06/2015 16:38, Fabrice wrote:<br>
</div>
<blockquote cite="mid:558034D8.3010709@qsp-systems.com" type="cite">Hello,
<br>
<br>
I explain :
<br>
<br>
I would like a function like this :
<br>
<br>
int X509_verify(const char *certPem, void *who, char
*(*whatYouWant)(void *who, int type, const X509_NAME *subject,
const X509_NAME *issuer))
<br>
<br>
where :
<br>
<br>
<certPem> : is a certificat in PEM format to verify
<br>
<who> : is an instance of a class
<br>
whatYouWant : is a method of <who> that can find
<type> (certificat X509_LU_X509, CRL X509_LU_CRL)
<br>
with the <subject> and eventually the <issuer>
<br>
<br>
this function would callback <who> on <whatYouWant>
until the root CA of <certPem> and do the appropriates
verifications on intermediate
<br>
certificats and CRLs, and return 0 succes, other error.
<br>
<br>
Is there any solution to do so with the current version of openssl
API otherwise how can i do ?
<br>
<br>
</blockquote>
<tt>Regardless of the question raised by Mr. Dukhovni, I <br>
believe the closest thing would be the following:</tt><tt><br>
</tt><tt><br>
</tt><tt>1. Create an empty X509_STORE object which will hold <br>
the answers returned by "whatYouWant".</tt><tt><br>
</tt><tt><br>
</tt><tt>2. In the X509_STORE object, set up the method callbacks <br>
that are normally used to search "/etc/ssl/certificates" <br>
based in subject hashes to instead end up in your own <br>
whatYouWant callback. This may go beyond documented <br>
interfaces, requiring you to study the OpenSSL source <br>
code.</tt><tt><br>
</tt><tt><br>
</tt><tt>3. Pass this X509_STORE object to the general X509 <br>
verification functions.</tt><tt><br>
</tt><tt><br>
</tt><tt>Of cause, in many cases, it would be easier to just:</tt><tt><br>
</tt><tt><br>
</tt><tt>1. Create an empty X509_STORE object.</tt><tt><br>
</tt><tt><br>
</tt><tt>2. Load your own sources of certificates and CRLs <br>
into this store.</tt><tt><br>
</tt><tt><br>
</tt><tt>3. Pass this X509_STORE object to the general X509 <br>
verification functions.</tt><tt><br>
</tt><tt><br>
</tt><tt>One case handled by neither your callback argument list, <br>
nor by the second method is the technique promoted by <br>
Microsoft, where the certificates are sometimes downloaded <br>
on the fly from URLs specified in the AIA extension in <br>
the certificate being validated, and the classic privacy-<br>
enhanced checking where missing/outdated CRLs are <br>
downloaded from URLs specified in other extensions (there <br>
are 2 possibilities) in the certificate being validated <br>
(the surveillance-happy method is to use OCSP).</tt><tt><br>
</tt><br>
-- <br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="http://www.wisemo.com">http://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>