[openssl-users] Certificat & CRL verification chain by callback

Viktor Dukhovni openssl-users at dukhovni.org
Tue Jun 16 20:02:09 UTC 2015

On Tue, Jun 16, 2015 at 05:51:34PM +0200, Fabrice wrote:

> I understand that, when I want to verify a certificate, I need to load the
> X509_STORE_CTX with all the certificats and CRLs needed by the chain verification
> (like the command openssl verify -CApath -CAfile ...)

What is the context for this?  Why are you verifying certificates
(really certificate chains I hope) at all?  What protocol are you

> But, given a certificate to verify, I want to be called back to go up into
> the chain verification until the root CA. And at each step, certificate
> and revocation list are verified.

This is not at all clear.  What extra verification are you looking
to do?

Are you perhaps looking for X509_STORE_CTX_set_verify_cb()? This
is the underlying libcrypto mechanism that supports SSL_CTX_set_verify().

> My job is to provide at each step what is needed in PEM format into an
> allocated char *

Forget the PEM format detail, all the various formats are
inter-convertible, that's not important.

> I tried to use X509_LOOKUP.get_by_subject() but I am only requested on
> certificats in the chain, not on CRL.

Are you trying to provide your own store of trusted issuer certificates
and CRLs and associated access methods for the OpenSSL verification
routines to use?


More information about the openssl-users mailing list