Hi Jeff: If you are looking for a solution that not only handles CRL but OCSP as well, you might want to check out Pathfinder:
http://www.carillon.ca/tools/pathfinder.php It allows you to easily add a custom callback to the _verify() routines that will enable all of this. It also does caching and complex path resolution, in case that is interesting to you. Best Regards, Patrick. On 2011-03-15, at 9:19 AM, Jeff Saremi wrote: > I seriously need help with this piece. I searched the forum and I could > not find what i was looking for. > During an SSL handshake, I need to be able to examine the CRL > distribution points on a certificate (chain), download them, and pass > them along to OpenSSL for further revocation checks. > I thought I understood that the problem would be solved by just > overwriting "get_crl" method of X509_STORE. But it looks like there's a > lot more going to that just to read a URL and download the target. > Here's what I did and after all it didn't work. Because I got the error > "Different CRL scope" after return from my "get_crl" > > **** set up X509_STORE just before SSL connection: > // do trusted certs > if (crlDownloader) { > x509Store->get_crl = &getCrl; > CRYPTO_set_ex_data(&x509Store->ex_data, > CRL_GET_EXDATA_INDEX, (void *)crlDownloader); > X509_STORE_set_flags(x509Store, > X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); > } > SSL_CTX_set_cert_store(ctx, x509Store); > > > **** My get_crl: > int getCrl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *cert) > { > CrlDownloader *crlDownloader = (CrlDownloader*)CRYPTO_get_ex_data( > &ctx->ctx->ex_data, > CRL_GET_EXDATA_INDEX); > try > { > // read the distribution points from the certificate (see below) > for(/* each url in distribution URLs */) > { > X509_CRL* downloadedCrl = crlDownloader->download(url); > *crl = downloadedCrl; > X509_STORE_add_crl(ctx->ctx, *crl)); > break; > } > return 1; > } > catch(std::exception &e) > { > // print error > } > return 0; > } > > ***** util code to return a distribution URl minimally > for (i = 0; i < sk_DIST_POINT_num(cert->crldp); i++) > { > DIST_POINT *dp = sk_DIST_POINT_value(cert->crldp, i); > for (i = 0; i < sk_GENERAL_NAME_num(dp->distpoint->name.fullname); i++) > { > GENERAL_NAME *gen = sk_GENERAL_NAME_value( > dp->distpoint->name.fullname, i); > if (gen->type == GEN_URI) > { > list.push_back(std::string((char*)gen->d.ia5->data)); > } > } > } > > Note that if I modify my code, download the CRL at the beginning, add it > to X509_STORE and continue, then everything works as expected. But > that's not acceptable because I would have to know apriori what those > CRL distribution points would be. > > So as i mentioned the above still does not work. > Looking at get_crl_delta() shows that there's a lot more logic involved > than just downloading the CRL. Unfortunately, most if not all of the > methods called inside that module are static so they're not available to > my get_crl. > > I'd appreciate your feedback and guidance. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
