[openssl-users] Certificat & CRL verification chain by callback

Jakob Bohm jb-openssl at wisemo.com
Tue Jun 16 15:43:02 UTC 2015 

On 16/06/2015 16:38, Fabrice wrote:
> Hello,
>
> I explain :
>
> I would like a function like this :
>
> int X509_verify(const char *certPem, void *who, char 
> *(*whatYouWant)(void *who, int type, const X509_NAME *subject, const 
> X509_NAME *issuer))
>
> where :
>
> <certPem> : is a certificat in PEM format to verify
> <who> : is an instance of a class
> whatYouWant : is a method of <who> that can find <type> (certificat 
> X509_LU_X509, CRL X509_LU_CRL)
> with the <subject> and eventually the <issuer>
>
> this function would callback <who> on <whatYouWant> until the root CA 
> of <certPem> and do the appropriates verifications on intermediate
> certificats and CRLs, and return 0 succes, other error.
>
> Is there any solution to do so with the current version of openssl API 
> otherwise how can i do ?
>
Regardless of the question raised by Mr. Dukhovni, I
believe the closest thing would be the following:

1. Create an empty X509_STORE object which will hold
the answers returned by "whatYouWant".

2. In the X509_STORE object, set up the method callbacks
that are normally used to search "/etc/ssl/certificates"
based in subject hashes to instead end up in your own
whatYouWant callback.  This may go beyond documented
interfaces, requiring you to study the OpenSSL source
code.

3. Pass this X509_STORE object to the general X509
verification functions.

Of cause, in many cases, it would be easier to just:

1. Create an empty X509_STORE object.

2. Load your own sources of certificates and CRLs
into this store.

3. Pass this X509_STORE object to the general X509
verification functions.

One case handled by neither your callback argument list,
nor by the second method is the technique promoted by
Microsoft, where the certificates are sometimes downloaded
on the fly from URLs specified in the AIA extension in
the certificate being validated, and the classic privacy-
enhanced checking where missing/outdated CRLs are
downloaded from URLs specified in other extensions (there
are 2 possibilities) in the certificate being validated
(the surveillance-happy method is to use OCSP).

-- 

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150616/91096ecd/attachment.html>

More information about the openssl-users mailing list