Hi,
I need to encrypt CMS and, to do so, verify the certificat chain.
All the certificats and CRLs are downloaded from a LDAP repository.
But, I want to reuse the certificat chain verification, whatever is the
origin
of certificats and CRLs in the chain (database, files, LDAP, HTTP), because
some others applications don't use a LDAP repository.
The X509 pieces location are known by the caller. It provides them on
the fly
if possible.
I noticed the X509_STORE lookup_certs() and lookup_crls() methods but I dont
known if they could satisfy my need.
I studied the sources crypto/x509/by_file.c and by_dir.c to learn how I
can do,
but I dont achieve in my goal.
Thanks for help.
Gratefully,
Fabrice JACQUET
Le 16.06.2015 22:02, Viktor Dukhovni a écrit :
On Tue, Jun 16, 2015 at 05:51:34PM +0200, Fabrice wrote:
I understand that, when I want to verify a certificate, I need to load the
X509_STORE_CTX with all the certificats and CRLs needed by the chain
verification
(like the command openssl verify -CApath -CAfile ...)
What is the context for this? Why are you verifying certificates
(really certificate chains I hope) at all? What protocol are you
securing?
But, given a certificate to verify, I want to be called back to go up into
the chain verification until the root CA. And at each step, certificate
and revocation list are verified.
This is not at all clear. What extra verification are you looking
to do?
Are you perhaps looking for X509_STORE_CTX_set_verify_cb()? This
is the underlying libcrypto mechanism that supports SSL_CTX_set_verify().
My job is to provide at each step what is needed in PEM format into an
allocated char *
Forget the PEM format detail, all the various formats are
inter-convertible, that's not important.
I tried to use X509_LOOKUP.get_by_subject() but I am only requested on
certificats in the chain, not on CRL.
Are you trying to provide your own store of trusted issuer certificates
and CRLs and associated access methods for the OpenSSL verification
routines to use?
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
