On Wed, 2023-08-02 at 09:50 -0400, Chris Bare wrote:
> I've created an X509_STORE and set my own lookup methods:
> lm = X509_LOOKUP_meth_new ("Load certs from database");
> if (lm)
> {
> X509_LOOKUP_meth_set_ctrl (lm, dir_ctrl);
> X509_LOOKUP_meth_set_get_by_subject (lm, get_cert_by_subject);
> X509_LOOKUP_meth_set_get_by_issuer_serial (lm,
> get_by_issuer_serial);
> X509_LOOKUP_meth_set_get_by_fingerprint (lm, get_by_fingerprint);
> X509_LOOKUP_meth_set_get_by_alias (lm, get_by_alias);
> }
> store = X509_STORE_new();
> X509_STORE_add_lookup(store, lm);
>
> This works, but it only ever calls get_cert_by_subject. I've run into
> cases where certificates have duplicate CommonNames, so it would be
> better to use one of the other lookups.
> Is there a flag I need to set in the store, or some configuration I
> need to do somewhere else in OpenSSL to make it use a different
> lookup method?
Unfortunately in practice this is the only lookup method that is being
used by the certificate verification. The store should be able to
return all the matching certificates and the verification routine will
select the proper one from them.
--
Tomáš Mráz, OpenSSL
