RE: Working inside X509_STORE_CTX using verification callbacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Okay.

 

Thanks Matt, I didn’t see that one in x509_vfy.c, I must look harder.

 

 

I will modify our own copy of OpenSSL1.1.1c to provide the missing functions and open a PR on the master.

 

Simon Edwards

 

On 25/09/2019 12:31, Matt Caswell wrote:

 

On 25/09/2019 12:22, Simon Edwards wrote:

>     void X509_STORE_CTX_set0_error(X509_STORE_CTX *ctx, int error) {

>

>        ctx->error = error;

>

>    }

 

This one already exists:

 

void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)

{

    ctx->error = err;

}

 

Other missing accessors could be added (and even backported to stable releases)

if there is a strong enough justification for wanting them.

 

Matt

 

 

From: Simon Edwards
Sent: 25 September 2019 12:22
To: openssl-users@xxxxxxxxxxx
Subject: Working inside X509_STORE_CTX using verification callbacks

 

Hello Everyone.

 

I am migrating code written to the old 1.0 (actually probably more like 0.9.?) X509_STORE API which has a replacement for the check_issuer callback function.

 

Unless I am missing something the 1.1.1c SDK’s public API is missing some accessor functions that are required for a like-for-like update to 1.1.1c.

 

    void X509_STORE_CTX_set0_current_issuer(X509_STORE_CTX *ctx, X509 *cert){

       ctx->current_issuer = cert;

  }

    void X509_STORE_CTX_set0_error(X509_STORE_CTX *ctx, int error) {

       ctx->error = error;

   }

 

I suspect I will need to build this as an internal OpenSSL source module in order to allow access inside the STORE structure.

 

Or, have I missed a replacement API somewhere?

 

The reason for using our own callback function is to allow for the situation where a trustpoint collection may contain multiple certificates with the same DN but different keys. The second (or later) of these may be the signer of the certificate being verified.  The OpenSSL version would stop when it encountered the first certificate with an incorrect key. If OpenSSL now supports this situation we could remove the need to set our own callback.

 

 

Simon Edwards
Principal Software Engineer

 

Micro Focus

simon.edwards@xxxxxxxxxxxxxx

The Lawn, 22-30 Old Bath Road
Newbury, Berkshire, UK

Shoretel 44224
Direct: +44 1635 565487

 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux