Loading CA from memory

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Loading CA from memory

Devchandra L Meetei
I have been looking for  API like `SSL_CTX_load_verify_mem` which will load
CA[s] from mem buffer. 

Looks like OpenSSL does not have it yet, Is there any other way to work around 
this ?

--
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb changed the world more than Karl Marx ever did,” Steve Jobs

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Loading CA from memory

Jakob Bohm-7
On 20/02/2018 16:38, Devchandra L Meetei wrote:
> I have been looking for  API like `SSL_CTX_load_verify_mem` which will
> load
> CA[s] from mem buffer.
>
> Looks like OpenSSL does not have it yet, Is there any other way to
> work around
> this ?
>
>
I think it can be done step by step, at least in 1.0.x:

First allocate an empty STACK_OF X509 certificates

Then loop over your in-memory CA certificates, passing each to d2i_X509,
then adding the resulting X509 object to the stack.

Finally pass that stack as the CA collection to an appropriate SSL_CTX
function.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Loading CA from memory

Devchandra L Meetei
Thanks Jakob for the hint
Let me try out the suggested approach.

By the way, Is there any plan to port SSL_CTX_load_verify_mem to openssl?

On Tue, Feb 20, 2018 at 9:23 PM, Jakob Bohm <[hidden email]> wrote:
On 20/02/2018 16:38, Devchandra L Meetei wrote:
I have been looking for  API like `SSL_CTX_load_verify_mem` which will load
CA[s] from mem buffer.

Looks like OpenSSL does not have it yet, Is there any other way to work around
this ?


I think it can be done step by step, at least in 1.0.x:

First allocate an empty STACK_OF X509 certificates

Then loop over your in-memory CA certificates, passing each to d2i_X509, then adding the resulting X509 object to the stack.

Finally pass that stack as the CA collection to an appropriate SSL_CTX function.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb changed the world more than Karl Marx ever did,” Steve Jobs

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Loading CA from memory

Viktor Dukhovni


> On Feb 20, 2018, at 12:58 PM, Devchandra L Meetei <[hidden email]> wrote:
>
> By the way, Is there any plan to port SSL_CTX_load_verify_mem to openssl?

The basic functionality is already there:

If you want to parse in-memory PEM, see the use of PEM_X509_INFO_read_bio() [needs documentation] at:

   https://github.com/openssl/openssl/blob/master/apps/crl2p7.c#L179

if have a PKCS7 DER or PEM structure, there are suitable functions for pulling
out a chain from that.  Then you can set a "trusted stack" for your X509_STORE_CTX.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Loading CA from memory

Devchandra L Meetei
Thanks Viktor
As usual, Your answer throws light. Now, it is time to get started.
Will revert if got obstructed on the way

On Wed, Feb 21, 2018 at 9:58 AM, Viktor Dukhovni <[hidden email]> wrote:


> On Feb 20, 2018, at 12:58 PM, Devchandra L Meetei <[hidden email]> wrote:
>
> By the way, Is there any plan to port SSL_CTX_load_verify_mem to openssl?

The basic functionality is already there:

If you want to parse in-memory PEM, see the use of PEM_X509_INFO_read_bio() [needs documentation] at:

   https://github.com/openssl/openssl/blob/master/apps/crl2p7.c#L179

if have a PKCS7 DER or PEM structure, there are suitable functions for pulling
out a chain from that.  Then you can set a "trusted stack" for your X509_STORE_CTX.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Warm Regards
--Dev
OpenPegasus Developer

"I'm one of those people that think Thomas Edison and the light bulb changed the world more than Karl Marx ever did,” Steve Jobs

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users