To reply to an earlier message too:-) I will only look at it tomorrow...
Some ideas for doing the verification against a certificate in memory:
[1] You have hard coded a certificate into the program
[2] You are using you own custom database to store the certificates
[3] You have written a nice C++ wrapper to make it easier for yourself
to work with certificates and that allows you to do a lot of nifty
things like customized database storage that the current system does not
allow for...
[4] Doing those hashes under Microdaft Windows (tm) is no fun and wastes
a lot of space. I hate programs with hunderds/thousands of small files
that waste my disk space... It's a quirk of mine..
I can not use the callback in it's current form... All my work is in C++
and I'm not going to use global pointers to keep track of the ssl object
I'm busy with. As of 0.9.5a there is no "void *data" structure that you
can declare for that callback. Maybe we should add one?
Is there a process for changing an API in OpenSSL?
Robert Sandilands
Joel Yarde wrote:
>
> One way of achieving this type of verification is by creating a verify
> callback which will access your 'in-memory' cert. This callback uses the
> results of the standard OpenSSL verification, but has the ability to
> override it. I use it in my own code, which I will post to the list laterz.
>
> For now, here's the basics:
>
> 1) create a verify callback using the as follows;
>
> int verifycert(int ok,X509_STORE_CTX *ctx_store);
>
> The structure ctx_store holds the certificate to be verified
> (ctx_store->current_cert) along with the error returned by OpenSSL standard
> verification (ctx_store->error).
>
> The integer 'ok' holds the results of the OpenSSL verification. The function
> returns an integer which will tell the calling function the results of the
> entire verification process (i.e. exactly what you want it to tell the
> calling function).
>
> 2) In your initialization, link to verify callback to the context strucure;
>
> SSL_CTX_set_verify(ctx, verifymode, *verifycert);
>
> The 'verifymode' variable tells OpenSSL the level of verification that you
> want. 'verifycert' of course, is the callback function.
>
> In a nutshell, you can do whatever you want in the callback and that will
> determine the final results of the verification process. This is an
> excellent way of storing encrypted certs on disk and loading them into
> memory before verification, or using smartcards for that matter.
>
> Hope this helps you! If you want, I can post the verification code that I
> use as an example of what you can do.
>
> Laterz
>
> Joel Yarde
> Managing Director
> Electron Software
> [EMAIL PROTECTED]
>
> >From: Brian Wotring <[EMAIL PROTECTED]>
> >Reply-To: [EMAIL PROTECTED]
> >To: [EMAIL PROTECTED]
> >Subject: Re: docs for openssl programming in C
> >Date: Fri, 21 Apr 2000 23:07:41 -0800
> >
> >
> > >The advice involved using SSL_set_verify and
> > >SSL_CTX_load_verify_locations. This was not acceptable for my purposes
> > >as I do not want to verify against certificates in a specific path but
> > >against one loaded in memory. Hope this helps.
> >
> >Did you ever figure out how to do this? I am unable to figure out how to
> >verify a server's cert without having to store data in a file.
> >
> >
> > | Brian Wotring ( [EMAIL PROTECTED] )
> > | Fort Nocs, Inc.
> > | PGP Key ID: 0x9674763D
> >______________________________________________________________________
> >OpenSSL Project http://www.openssl.org
> >User Support Mailing List [EMAIL PROTECTED]
> >Automated List Manager [EMAIL PROTECTED]
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
