Re: Problem with x509_verify_certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Nov 26, 2018, at 1:08 PM, Ken <OpenSSL@xxxxxx> wrote:
> 
> Is it "better" to use
> 
> X509_STORE_CTX_set_default(csc, "ssl_server");

This does take care of all the niggly details, but see below...

> or something more like
> 
> purpose = X509_PURPOSE_SSL_SERVER;
> verify_param = X509_STORE_CTX_get0_param(csc);
> X509_VERIFY_PARAM_set_purpose(verify_param, purpose);
> X509_verify_cert(csc)
> 
> When we tried the second option, it did not make any difference.

The comment in check_purpose() in crypto/x509/x509_vfy.c may prove
illuminating:

    /*
     * For trusted certificates we want to see whether any auxiliary trust
     * settings trump the purpose constraints.
     *
     * This is complicated by the fact that the trust ordinals in
     * ctx->param->trust are entirely independent of the purpose ordinals in
     * ctx->param->purpose!
     *
     * What connects them is their mutual initialization via calls from
     * X509_STORE_CTX_set_default() into X509_VERIFY_PARAM_lookup() which sets
     * related values of both param->trust and param->purpose.  It is however
     * typically possible to infer associated trust values from a purpose value
     * via the X509_PURPOSE API.
     * 
     * Therefore, we can only check for trust overrides when the purpose we're
     * checking is the same as ctx->param->purpose and ctx->param->trust is
     * also set.
     */

The solution is to call:

	X509_STORE_CTX_set_purpose(csc, X509_PURPOSE_SSL_SERVER)

which also takes care of all the "trust" bits.  The separation between
purpose values and trust values is rather obscure.  Sorry about that.
Most applications don't have to delve this deep.

> When I added X509_STORE_CTX_set0_param(csc,verify_param);

This is not valid, because you don't own the reference to verify_param,
and so cannot "give it away".  The object ends up freed.  This is why
Rust has a borrow-checker...  Time to start rewriting OpenSSL in Rust.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux