Thanks for the reply. the X509_OBJECT used to return data only has room for 1 certificate.
Are you saying the verification routine will call get_cert_by_subject again if the first one returned fails?
I don't think I've seen that behavior. Even if it did, how would the lookup routine know this is the nth call, vs a new one?
Or when you said "should" did you mean that would be a better solution, but the current code does not do that?
On Mon, Aug 7, 2023 at 3:44 AM Tomas Mraz <tomas@xxxxxxxxxxx> wrote:
On Wed, 2023-08-02 at 09:50 -0400, Chris Bare wrote:
> I've created an X509_STORE and set my own lookup methods:
> lm = X509_LOOKUP_meth_new ("Load certs from database");
> if (lm)
> {
> X509_LOOKUP_meth_set_ctrl (lm, dir_ctrl);
> X509_LOOKUP_meth_set_get_by_subject (lm, get_cert_by_subject);
> X509_LOOKUP_meth_set_get_by_issuer_serial (lm,
> get_by_issuer_serial);
> X509_LOOKUP_meth_set_get_by_fingerprint (lm, get_by_fingerprint);
> X509_LOOKUP_meth_set_get_by_alias (lm, get_by_alias);
> }
> store = X509_STORE_new();
> X509_STORE_add_lookup(store, lm);
>
> This works, but it only ever calls get_cert_by_subject. I've run into
> cases where certificates have duplicate CommonNames, so it would be
> better to use one of the other lookups.
> Is there a flag I need to set in the store, or some configuration I
> need to do somewhere else in OpenSSL to make it use a different
> lookup method?
Unfortunately in practice this is the only lookup method that is being
used by the certificate verification. The store should be able to
return all the matching certificates and the verification routine will
select the proper one from them.
--
Tomáš Mráz, OpenSSL
--
Chris Bare
