If I was using flat files, I could simply do SSL_CTX_load_verify_locations. However, I have the certificates stored in a database.
At first I was kind of looking for function SSL_CTX_load_verify_BIO(), but there does not seem to be such a thing... (I could then have written a BIO for loading the certs from the database). I see two options: 1) Load the certificates one by one from the database, and put them in the context using SSL_CTX_use_certificate() (first) and SSL_CTX_add_extra_chain_cert() (the rest). 2) Implement a verify callback, and set it for the context (SSL_CTX_set_verify()). Then, in my callback, load the certificates from the database on demand to do verification. My concern with 1) is that it would seem a little slow/wasteful. My concern with 2) is that I don't feel really comfortable writing my own verification routines, especially since the only thing I want to do differently is loading the certs from database. Ideally the verify callback would be called with error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, I would load the next cert in chain to the context, and ask it to try again... But I don't actually see how I could ask it to try again. Or do I need to set SSL_CTX_set_cert_verify_callback() instead, and load the CA certificates there, then restore the default cert verify callback? Not really sure what the x509_store_ctx arg in the callback is either - the peer's cert chain, or the context's? Are my musings correct so far? Are there other ways of doing this? Any way to reuse the default verification routines if I do 2)? -- Heikki Toivonen
signature.asc
Description: OpenPGP digital signature
