[openssl-users] Certificat & CRL verification chain by callback

Viktor Dukhovni openssl-users at dukhovni.org
Tue Jun 16 15:29:43 UTC 2015

On Tue, Jun 16, 2015 at 04:38:16PM +0200, Fabrice wrote:

> I explain :
> I would like a function like this :
> int X509_verify(const char *certPem, void *who, char *(*whatYouWant)(void
> *who, int type, const X509_NAME *subject, const X509_NAME *issuer))
> where :
> <certPem> : is a certificat in PEM format to verify
> <who> : is an instance of a class
> whatYouWant : is a method of <who> that can find <type> (certificat
> X509_LU_X509, CRL X509_LU_CRL)
> with the <subject> and eventually the <issuer>
> this function would callback <who> on <whatYouWant> until the root CA of
> <certPem> and do the appropriates verifications on intermediate
> certificats and CRLs, and return 0 succes, other error.
> Is there any solution to do so with the current version of openssl API
> otherwise how can i do ?

This is surely not really what you want, it is a means to an end,
and you have not explained your *real* goal.  What actual problem
are you trying to solve.

What would such a feature enable you to do?  Are you verifying TLS
peers (client or servers), signatures of CMS/SMIME messages, ...
What additional checks are you looking to do beyond the standard
certificate chain verification.


More information about the openssl-users mailing list