[openssl-users] Certificat & CRL verification chain by callback

Fabrice fj at qsp-systems.com
Tue Jun 16 15:51:34 UTC 2015


I understand that, when I want to verify a certificat, I need to load 
the X509_STORE_CTX
with all the certificats and CRLs needed by the chain verification (like 
the command
openssl verify -CApath -CAfile ...)

But, given a certificat to verify, I want to be called back to go up 
into the chain verification
until the root CA. And at eatch step, certificat and revocation list are 

My job is to provide at eatch step what is needed in PEM format into an 
allocated char *

I tried to use X509_LOOKUP.get_by_subject() but I am only requested on 
certificats in the chain,
not on CRL.

I found the TOMCAT source sslutils.c that do the job on peer, but I 
didn't find such function in
the openssl API outside peer.

With such callback verifier, you can download certificats and CRLs from 
files, from directories,
from LDAP, from HTTPS, as you want.

Do you understand ?

Thanks for reply.



Le 16.06.2015 17:29, Viktor Dukhovni a écrit :
> On Tue, Jun 16, 2015 at 04:38:16PM +0200, Fabrice wrote:
>> I explain :
>> I would like a function like this :
>> int X509_verify(const char *certPem, void *who, char *(*whatYouWant)(void
>> *who, int type, const X509_NAME *subject, const X509_NAME *issuer))
>> where :
>> <certPem> : is a certificat in PEM format to verify
>> <who> : is an instance of a class
>> whatYouWant : is a method of <who> that can find <type> (certificat
>> X509_LU_X509, CRL X509_LU_CRL)
>> with the <subject> and eventually the <issuer>
>> this function would callback <who> on <whatYouWant> until the root CA of
>> <certPem> and do the appropriates verifications on intermediate
>> certificats and CRLs, and return 0 succes, other error.
>> Is there any solution to do so with the current version of openssl API
>> otherwise how can i do ?
> This is surely not really what you want, it is a means to an end,
> and you have not explained your *real* goal.  What actual problem
> are you trying to solve.
> What would such a feature enable you to do?  Are you verifying TLS
> peers (client or servers), signatures of CMS/SMIME messages, ...
> What additional checks are you looking to do beyond the standard
> certificate chain verification.

More information about the openssl-users mailing list