Using X509_verify_cert with (possibly) OCSP?

Bruce Stephens bruce.r.stephens at
Wed Oct 23 14:07:59 UTC 2019

Suppose I want to verify a certificate, and I've collected some CRLs
and some OCSP responses. How can I do that?
If I just want to verify revocation for the end certificate (so
X509_V_FLAG_CRL_CHECK rather than X509_V_FLAG_CRL_CHECK_ALL) then
that's straightforward: I use X509_verify_cert without those settings
and then do the OCSP check for the end certificate.
But how can I check the whole chain, using some mixture of CRLs and OCSP?
It looks like I can use verify_cb and perform my own checks when the
error is X509_V_ERR_UNABLE_TO_GET_CRL.
I think really what I'd want is to have some more low-level callback
used in check_cert or check_revocation, but I don't see one.
In 1.0.2 I'm just changing check_revocation (since ) but in order to
keep the usual CRL checking that involved basically copying check_cert
and a bunch of related functions with small changes to one or two of
them (because they're mostly static so I can't just call them). In
OpenSSL-1.1 that doesn't look so attractive (and it's not terribly
pretty with 1.0.2) because the code accesses things in X509 and
X509_CRL that aren't accessible.
Am I missing something obvious? Does the TLS code do this in some way?
(It doesn't look like it does, but possibly I'm just missing it.)

More information about the openssl-users mailing list