|
Unfortunately, the short answer is I can't avoid the problem. The application is complicated, and can be thought of as many applications, all of which have different needs. I don't think combining a certificate chain into one file eliminates the need for all
of the calls I'm making, just some of them. I wish it were that easy, but I need to do this set up at run time.
I'll see what I can find, and try a few other things to attempt to isolate the cause. If I run out of ideas, I'll probably start a new thread since it may get more attention.
Thanks for your answers once again.
Jason
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>
Sent: Wednesday, November 3, 2021 9:25 PM To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> Subject: Re: X509_get_pubkey() in OpenSSL 3.0? On Wed, Nov 03, 2021 at 08:32:43PM +0000, Jason Schultz wrote:
> To summarize, at application start time I read in all of the > certificates in /etc/ssl/certs/ to a trusted store created with > X509_STORE_new(). > > When getting ready to "start" a server (again, leaving a lot of > specifics out to avoid getting bogged down in details), I'm doing the > processing in the previous messages on this thread. Here are the API > calls again, with the changes previously discussed: > > ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method()); > SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM); > SSL_CTX_use_certificate_file(ctx,<certfile>,SSL_FILETYPE_PEM); > SSL_CTX_check_private_key(ctx); > mycert = SSL_CTX_get0_certificate(ctx); > pkey = X509_get_pubkey(mycert); > > After that's done, I make several OpenSSL calls to get things set up the way I want: > > param = X509_VERIFY_PARAM_new(); > X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN); > X509_STORE_set1_param(ssl_trusted_certs, param); > X509_VERIFY_PARAM_free(param); > > I call these to treat intermediate certs as trust-anchors, so I can > trust an intermediate certificate; ssl_trusted_certs is the > aforementioned X509_STORE. I am puzzled as to you working so hard (writing a bunch of low-level trust-store and chain construction code) to construct at runtime, what could be created statically at chain file construction time. Especially if you stick with best practice and keep certificate lifetimes reasonably short (~90 days or less, not years). The certificate chain file constructed at the time the certificate is issued should work unchanged for the lifetime of the certificate, and the server applications can avoid having to execute any chain construction or verification code. Yes, you're asking somewhat "interesting" questions, in that, e.g., I am not up to speed on all the changes in 3.0.0, and perhaps there are indeed some issues around legacy SHA1 signatures, but I do suspect that a more productive use of your time is likely to reconsider the decision to work at such a low layer. It may be wiser to find a way to "unask" the question, i.e. make it moot, by avoiding rather than solving the problem. > I'm not clear on if the calls I've added to > SSL_CTX_get0_certificate(ctx) and X509_get_pubkey(), the latter of > which was being used before, are what's causing the problem. The > OpenSSL error queue shows the following on the > SSL_CTX_build_cert_chain() failure: > > 00B741558E7F0000:error:0308010C:digital envelope routines:(unknown function):unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (SHA1 : 96), Properties (<null>) > 00B741558E7F0000:error:03000072:digital envelope routines:(unknown function):decode error:crypto/x509/x_pubkey.c:444: > 00B741558E7F0000:error:03000072:digital envelope routines:(unknown function):decode error:crypto/x509/x_pubkey.c:444: > 00B741558E7F0000:error:0580006C:x509 certificate routines:(unknown function):unable to get certs public key:crypto/x509/x509_vfy.c:1986: > 00B741558E7F0000:error:0A000086:SSL routines:(unknown function):certificate verify failed:ssl/ssl_cert.c:905:Verify error:unspecified certificate verification error I haven't seen these before, your guess is as good as mine. -- Viktor. |
