[openssl-users] Certificat & CRL verification chain by callback
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Jun 16 15:29:43 UTC 2015
On Tue, Jun 16, 2015 at 04:38:16PM +0200, Fabrice wrote:
> I explain :
>
> I would like a function like this :
>
> int X509_verify(const char *certPem, void *who, char *(*whatYouWant)(void
> *who, int type, const X509_NAME *subject, const X509_NAME *issuer))
>
> where :
>
> <certPem> : is a certificat in PEM format to verify
> <who> : is an instance of a class
> whatYouWant : is a method of <who> that can find <type> (certificat
> X509_LU_X509, CRL X509_LU_CRL)
> with the <subject> and eventually the <issuer>
>
> this function would callback <who> on <whatYouWant> until the root CA of
> <certPem> and do the appropriates verifications on intermediate
> certificats and CRLs, and return 0 succes, other error.
>
> Is there any solution to do so with the current version of openssl API
> otherwise how can i do ?
This is surely not really what you want, it is a means to an end,
and you have not explained your *real* goal. What actual problem
are you trying to solve.
What would such a feature enable you to do? Are you verifying TLS
peers (client or servers), signatures of CMS/SMIME messages, ...
What additional checks are you looking to do beyond the standard
certificate chain verification.
--
Viktor.
More information about the openssl-users
mailing list