Hi Albert,
On Mon, 31 Jul 2000, Albert Serra wrote:
>
> a) The functions with "verify" in them is there to tell the server or
> client where the public keys and the CA's public keys are for verifying
> the other's keys. Those keys and the symbolic links associated with them
> is pretty important.
"directory-based" lookup method of Openssl use symbolic links
constructed as a hash of subject name from certificate or
issuer name from CRL. Any reason to name this a callback?
> b) verifiy is a callback function
>
> For example:
>
> int verify(int ok,X509_STORE_CTX *ctx)
> {
> printf ("Verify called\n");
> return 1;
> }
This callback will always return "Happy with the certificate in question",
no matter what. Good for debugging.
> c) int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
>
> char buf[256];
> X509 *err_cert;
> int err,depth;
>
> err_cert=X509_STORE_CTX_get_current_cert(ctx);
> err= X509_STORE_CTX_get_error(ctx);
> depth= X509_STORE_CTX_get_error_depth(ctx);
>
> return ok;
>
> }
This callback can be used to print notes on certificate to-be-evaluated.
> According to answer a) what I have to add in the verify function. I use b)
> and for me it works, but I don't know if it does what it has to do.
Do you need to reject some certificates presented?
Expired, issued by another one CA, having something unexpected in
subject's name for example.
hope this helps,
Vadim
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
