From: Douglas **UNKNOWN CHARSET** <[EMAIL PROTECTED]> Note: for another example of the use of X509_STORE_CTX and certificate verifying, look at ssl_verify_cert_chain in ssl/ssl_cert.c. douglas> 1) In apps/verify.c this function is used, what is the _purpose_ of it? douglas> X509_STORE_CTX_set_purpose(csc, purpose); Pub set aside, the purpose with it is to set the desired purpose of the certificate being checked. The possible choices are found in x509v3.h and are all having names starting with X509_PURPOSE. douglas> 2) Correct me if I am wrong but the idea is thus: douglas> X509_STORE contains all trusted certs Yes. douglas> X509_STORE_CTX is used only once after each initialization I don't quite understand what you mean. douglas> X509_STORE_add_cert(ctx, CAx509); douglas> explicitly adds CAx509 as a cacert to be trusted Yes. douglas> X509_STORE_CTX_init(&csc, ctx, x509, NULL); douglas> Says that we want to verify the cert x509 using the trusted douglas> certs in the store csc douglas> douglas> Still missing here is what the last parameter is supposed to douglas> accomplish? Is that for the case that we have a cacert chain douglas> with a root contained in csc? Yes. Basically, if you have received more than one cert on whatever thing you receive (usually a chain, for example in a SSL handshake), you would get them as a STACK_OF(X509)*, and that's what you pass down as fourth parameter. douglas> X509_verify_cert(&csc); douglas> Does the actual traversal Yes. douglas> 3) Under what circumstances is the callback called After the OpenSSL internals have done all the verifications it can, it will call the callback with the first argument being 0 (if OpenSSL failed to verify the certificate) or 1 (if OpenSSL successfully verified the certificate), and the second argument begin the X509_STORE_CTX* that is currently used. douglas> and what happens when it is set to NULL like below: douglas> X509_STORE_set_verify_cb_func(ctx, NULL); Well, nothing else than the OpenSSL verification routine. You might wonder what you can do with the callback. Well, especially if you get 1 as first argument, you might want to do further checkings, like checking against a CRL or a OCSP server, or revocation data on an LDAP server, or... douglas> Thank you for your help. YW. HTH. HAND. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Got in late in the conversation. Maybe this is what you want
Richard Levitte - VMS Whacker Thu, 13 Jul 2000 11:28:53 -0700
- Re: Got in late in the conversation. Maybe t... Douglas Wikström
- Richard Levitte - VMS Whacker