> From: [email protected] [mailto:owner-openssl- > [email protected]] On Behalf Of Jeffrey Walton > Sent: Sunday, 02 March, 2014 03:14 > > I'm trying to add some key and certificate validation code to help > diagnose potential issues. > > X509_verify allows me to verify an X509 and EVP_PKEY pair. > > verify.c has certificate validation code, but it appears to work from > the file system (X509_STORE_add_lookup(), X509_LOOKUP_file(), > X509_LOOKUP_hash_dir() and friends). > > Is there anything which allows validation of X509 chains in memory?
Don't think I've seen an answer to this yet... The X509_STORE* functions can be used in applications, but they're largely not documented (as the OpenSSL documentation page for SSL_CTX_set_cert_store admits). By trawling through some code, some old libeay docs, and what's in the OpenSSL docs page, I was able to write code for in-memory certificate validation using X509_STORE_new, X509_STORE_add_cert, and X509_STORE_free; it compiles but I haven't gotten around to testing it yet. Then there's the X509_STORE_CTX* family, which may be more appropriate to your requirements. My understanding is that X509_STORE* is typically used to set up the global configuration, and X509_STORE_CTX* for a specific context. Take a look at: http://www.umich.edu/~x509/ssleay/x509_store.html http://www.openssl.org/docs/crypto/X509_STORE_CTX_new.html http://stackoverflow.com/questions/6646841/what-is-the-difference-between-x509-store-and-x509-store-ctx http://www.openssl.org/docs/ssl/SSL_CTX_set_cert_store.html This may also be useful: http://stackoverflow.com/questions/16291809/openssl-programatically-verify-certificate-chain-in-c-in-memory-certs -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com
