Am 19.11.14 um 17:20 schrieb Stephan Mühlstrasser:
Hi,
via X509_LOOKUP_load_file() resp. X509_LOOKUP_add_dir() I'm adding a PEM
file containing multiple CRLs and/or a directory containing hashed CRL
files to a X509_STORE.
Then I'm using the X509_verify_cert() function to verify a certificate.
After verification is successful, I would like to get the actual CRL
object that was used to verify the certificate. How can that be done? Do
I have to plug into the get_crl() callback function of the X509_STORE
structure?
I now found a way to get the CRL. To answer my own question, it works
like this:
Before X509_verify_cert() is called, the original "cert_crl" function
pointer from the X509_STORE_CTX structure is saved. Then the "cert_crl"
function pointer is overriden with my own function that calls the
original function. If the verification succeds, the crl object is saved.
Pseudo code:
int (*cert_crl_orig)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x);
int
my_cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
{
int ok = cert_crl_orig(ctx, crl, x);
if (ok)
{
<save crl somewhere>
}
return ok;
}
verify_cert()
{
X509_STORE_CTX *csc = X509_STORE_CTX_new();
cert_crl_orig = csc->cert_crl;
csc->cert_crl = my_cert_crl;
if (X509_verify_cert(csc) < 0)
{
...
}
}
Regards
Stephan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
