Working inside X509_STORE_CTX using verification callbacks

Viktor Dukhovni openssl-users at
Wed Sep 25 19:48:09 UTC 2019

On Wed, Sep 25, 2019 at 07:05:59PM +0000, Michael Wojcik wrote:

> Simon may correct me on this, and it may not be useful anyway; but if
> memory serves, it's currently being used to set the issuer on one invocation
> of the callback, so that on subsequent invocations for the same certificate
> the callback will see the desired issuer.

The "verify callback" is called for each error during chain
construction that does not cause immediate failure, and then, once
the chain is built, for each layer in the chain starting with the
trust-anchor reporting success or any signature or expiration issues.
This final pass sets the current issuer for inspection.

I would not expect the "verify callback" to construct an alternate
chain, for that, with SSL one would need to instead use
SSL_CTX_set_cert_verify_callback(3), which side-steps the entirety
of the built-in chain construction and verification process.  With
that you do whatever you want, but if you then want to also run the
normal verify callbacks from your own chain construction code,
then perhaps you might need an accessor to set the (read-only
from the perspective of those callbacks) issuer_cert.


More information about the openssl-users mailing list