I've misread the source code - you're right that there is no way to get
multiple certificates of the same subject from X509_LOOKUP by
get_by_subject() call.
This works only when the OSSL_STORE provider provides the certificates.
You would have to implement the OSSL_STORE in a provider instead.
On Mon, 2023-08-07 at 13:47 -0400, Chris Bare wrote:
> Thanks for the reply. the X509_OBJECT used to return data only has
> room for 1 certificate.
> Are you saying the verification routine will call get_cert_by_subject
> again if the first one returned fails?
> I don't think I've seen that behavior. Even if it did, how would the
> lookup routine know this is the nth call, vs a new one?
>
> Or when you said "should" did you mean that would be a better
> solution, but the current code does not do that?
>
> On Mon, Aug 7, 2023 at 3:44 AM Tomas Mraz <tomas@xxxxxxxxxxx> wrote:
> > On Wed, 2023-08-02 at 09:50 -0400, Chris Bare wrote:
> > > I've created an X509_STORE and set my own lookup methods:
> > > lm = X509_LOOKUP_meth_new ("Load certs from database");
> > > if (lm)
> > > {
> > > X509_LOOKUP_meth_set_ctrl (lm, dir_ctrl);
> > > X509_LOOKUP_meth_set_get_by_subject (lm, get_cert_by_subject);
> > > X509_LOOKUP_meth_set_get_by_issuer_serial (lm,
> > > get_by_issuer_serial);
> > > X509_LOOKUP_meth_set_get_by_fingerprint (lm,
> > > get_by_fingerprint);
> > > X509_LOOKUP_meth_set_get_by_alias (lm, get_by_alias);
> > > }
> > > store = X509_STORE_new();
> > > X509_STORE_add_lookup(store, lm);
> > >
> > > This works, but it only ever calls get_cert_by_subject. I've run
> > > into
> > > cases where certificates have duplicate CommonNames, so it would
> > > be
> > > better to use one of the other lookups.
> > > Is there a flag I need to set in the store, or some configuration
> > > I
> > > need to do somewhere else in OpenSSL to make it use a different
> > > lookup method?
> >
> > Unfortunately in practice this is the only lookup method that is
> > being
> > used by the certificate verification. The store should be able to
> > return all the matching certificates and the verification routine
> > will
> > select the proper one from them.
> >
--
Tomáš Mráz, OpenSSL
