I think someone has touched on some of this on the list recently, but
I was curious if there was a way to programmatically (through an API
call or other) way to patch into OpenSSL's configuration capability -
I understand the library by default looks at text files on a file
system for things like root certificates, but if I'm running on an
embedded system with no hard drive and I don't have a persistent
storage medium accessible through traditional file I/O calls, how
would I feed OpenSSL everything it needs to operate correctly?
Also, because I'm on an embedded system, I can't download CRLs to a
file on a file system because of limited storage. I either have to
download delta-CRLs (which is no guarantee of a small download), or
have a way to "stream" CRL data through a verifier process. In this
way, certificates are checked against a CRL while the data is being
downloaded into the embedded device. After CRL records have been
processed, they're thrown away. If we have a "match" in a CRL, we can
cache that cert as being "revoked" - like a "lookaside list" that we
check prior to downloading a CRL. Of course the "revoked cert" cache
would not be persistent because we may not have non-volatile memory
to store the cache.
If we're using OCSP, a file system is not really an issue, and we can
cache OCSP responses as well, as supported by the protocol.
Any information on API configuration of all openssl parameters (no
text files) and certificate validation on a constrained embedded
device is much appreciated.