On Mon, Jun 03, 2013 at 11:32:31PM +0000, Viktor Dukhovni wrote:
> I want to use SSL_CTX_set_cert_verify_callback() to customize how
> certificate verification is performed. I need to be able to selectively
> add/remove from the set of "untrusted" additional certificates in
> X509_STORE_CTX. Unfortunately, while:
>
> X509_STORE_CTX_set_chain()
>
> sets ctx->untrusted, the similarly named:
>
> X509_STORE_CTX_get_chain()
>
> returns ctx->chain, which is already populated and useful during
> the simpler one cert at a time verification callback, but is always
> empty at the start of the cert_verify_callback().
>
> I could simply bypass the API and directly manipulate ctx->untrusted,
> but I am reluctant to do that. Should I go ahead and do that?
Note, to implement DANE, I using 1.0.0 or later only. So if with
1.x.y there is a reasonable expectation that libcrypto versions
with the same SONAME don't vary in the offset of the "untrusted"
member in X509_STORE_CTX, that would be good to know.
> Will there perhaps be a library feature that exposes the chain
> elements to the cert_verify_callback?
Any feedback? Is it safe to access (read-only by cloning the chain)
ctx->untrusted?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
