Pablo Jose Royo Moreno wrote:
>
> Hello:
>
> I need to verify a server to a client with my own client database for CA
> certificates, so I dont need to use X509_STORE to join together my cert
> stuff.
> I know there is a callback where I can write my verify functions but then I
> must also
> write all chain cert verification stuff, which I prefer to be done by
> SSLeay. I�ve studied SSLeay sources a bit but I haven�t been able to
> separate X509_STORE things from the rest.
>
> Do somebody have any idea about how can I achive this without X509_STORE?
> Thanks.
Try using something like this:
SSL_set_app_data(context->gs_ssl, (char *)context);
...
SSL_CTX_set_verify(newcred->gs_ctx,
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
...
verify_callback(int ok, X509_STORE_CTX * ctx)
{
SSL *ssl;
gss_ctx_id_desc * ch;
....
/* By a roundabout process, the app_data of the ctx points
* at the SSL. We have saved a pointer to the context handle
* in the SSL.
*/
ssl = (SSL *)X509_STORE_CTX_get_app_data(ctx);
ch = (gss_ctx_id_desc
*)SSL_get_app_data(ssl);
....
/* We need to make up a cert_chain if we are the server.
* The ssl code does not save this as I would expect.
* where in the structure pointed at by ch we have:
* STACK *cert_chain;
*/
if (ch->cert_chain == NULL) {
ch->cert_chain = sk_new_null();
}
sk_push(ch->cert_chain,(char
*)X509_dup(ctx->current_cert));
return(ok);
}
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
