[openssl-users] Certificat & CRL verification chain by callback

Fabrice fj at qsp-systems.com
Wed Jun 17 07:42:21 UTC 2015 

Hi,

I need to encrypt CMS and, to do so, verify the certificat chain.

All the certificats and CRLs are downloaded from a LDAP repository.

But, I want to reuse the certificat chain verification, whatever is the 
origin
of certificats and CRLs in the chain (database, files, LDAP, HTTP), because
some others applications don't use a LDAP repository.

The X509 pieces location are known by the caller. It provides them on 
the fly
if possible.

I noticed the X509_STORE lookup_certs() and lookup_crls() methods but I dont
known if they could satisfy my need.

I studied the sources crypto/x509/by_file.c and by_dir.c to learn how I 
can do,
but I dont achieve in my goal.

Thanks for help.

Gratefully,

Fabrice JACQUET

Le 16.06.2015 22:02, Viktor Dukhovni a écrit :
> On Tue, Jun 16, 2015 at 05:51:34PM +0200, Fabrice wrote:
>
>> I understand that, when I want to verify a certificate, I need to load the
>> X509_STORE_CTX with all the certificats and CRLs needed by the chain verification
>> (like the command openssl verify -CApath -CAfile ...)
> What is the context for this?  Why are you verifying certificates
> (really certificate chains I hope) at all?  What protocol are you
> securing?
>
>> But, given a certificate to verify, I want to be called back to go up into
>> the chain verification until the root CA. And at each step, certificate
>> and revocation list are verified.
> This is not at all clear.  What extra verification are you looking
> to do?
>
> Are you perhaps looking for X509_STORE_CTX_set_verify_cb()? This
> is the underlying libcrypto mechanism that supports SSL_CTX_set_verify().
>
>
>> My job is to provide at each step what is needed in PEM format into an
>> allocated char *
> Forget the PEM format detail, all the various formats are
> inter-convertible, that's not important.
>
>> I tried to use X509_LOOKUP.get_by_subject() but I am only requested on
>> certificats in the chain, not on CRL.
> Are you trying to provide your own store of trusted issuer certificates
> and CRLs and associated access methods for the OpenSSL verification
> routines to use?
>

More information about the openssl-users mailing list