Re: Certificate Verify and non-root Trust Anchors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Victor,
Ahhhh... that is why :D I wrongly assumed that the newly created parameters would hold the same initialization. This approach works! 

Thanks again!

Cheers,
Max

On 12/11/17 5:45 PM, Viktor Dukhovni wrote:



On Dec 11, 2017, at 7:35 PM, Dr. Pala <madwolf@xxxxxxxxxx> wrote:


Perhaps you ended up creating a parameter structure with a
depth limit that's too small.  Just configuring partial
chains will never yield a chain that is longer than it
otherwise would be.  In fact you generally get shorter
chains.  So, no this is not a result of using the
new flag, but may be a result of how you're going about
setting the flag.

I actually do not set anything but the flag in the verify parameter, that is (error checking removed for clarity):
param = X509_VERIFY_PARAM_new();
X509_STORE_CTX_set0_param(ctx, param);
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);

There's the problem, you're creating new parameters, instead of
modifying the default parameters.

Instead, you must call:

	param = X509_STORE_CTX_get0_param(ctx);
         X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);


With this setting, I get the error..

Not surprising, the parameters you created don't have the default depth
setting.


which is the strange part as you said (the chain can not be longer :D). Maybe the code thinks that if you have a SubCA then you should have an additional level.. and since you do not have it, it sends the error... ???

... any suggestion on how to fix this ? Do you think it is actually a bug ? ... or am I missing some other configs / setting I should have done for the verify param ?


You should obtain a reference to the existing parameters
from the context, and modify these to add the new flag.



Well.. considering the code structure, the flags should be ok
(since I just set it and then use it right away...) ???

Actually, no.  You're losing all the verification parameter initialization
done by X509_STORE_CTX_new():

     ctx->param = X509_VERIFY_PARAM_new();
     if (!ctx->param) {
         X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE);
         return 0;
     }

     /*
      * Inherit callbacks and flags from X509_STORE if not set use defaults.
      */
     if (store)
         ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
     else
         ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;

     if (store) {
         ctx->verify_cb = store->verify_cb;
         /* Seems to always be 0 in OpenSSL, else must be idempotent */
         ctx->cleanup = store->cleanup;
     } else
         ctx->cleanup = 0;

     if (ret)
         ret = X509_VERIFY_PARAM_inherit(ctx->param,
                                         X509_VERIFY_PARAM_lookup("default"));



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux