OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?

Stephan Mühlstrasser
Hi,

I'm migrating from OpenSSL 1.0.2 to OpenSSL 1.1.0. The application
attaches additional data to X509 certificate data structures via the
X509_set_ex_data()/X509_get_ex_data() functions.

A tricky detail is that the additional data must be attached when
OpenSSL loads certificates from PEM files or from directories containing
certificates with the hashed names. With OpenSSL 1.0.2 this was
implemented by wrapping the X509_LOOKUP_METHODs returned by
X509_LOOKUP_file() and X509_LOOKUP_hash_dir() into application-specific
X509_LOOKUP_METHODs.

Within the context of the application-specific X509_LOOKUP_METHOD
instances the original methods are called, and when certificates are
loaded then via a callback X509_set_ex_data() is called on the newly
loaded certificate. For example for the X509_LOOKUP_file() lookup method
the "ctrl" function pointer from the X509_LOOKUP_METHOD structure is
overridden:

int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
                  char **ret);

For this approach it is necessary to retrieve the X509_STORE context
pointer from a X509_LOOKUP pointer passed to the function called via the
X509_LOOKUP.ctrl function pointer.

In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx"
member of the X509_LOOKUP structure was directly accessible. But in
OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can
see there is no API function available that would retrieve the
X509_STORE pointer from a X509_LOOKUP pointer.

Is this intentional, or was this an omission when making the X509_LOOKUP
structure opaque in OpenSSL 1.1.0?

Thanks
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?

Matt Caswell-2


On 12/06/18 10:58, Stephan Mühlstrasser wrote:
> In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx"
> member of the X509_LOOKUP structure was directly accessible. But in
> OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can
> see there is no API function available that would retrieve the
> X509_STORE pointer from a X509_LOOKUP pointer.
>
> Is this intentional, or was this an omission when making the X509_LOOKUP
> structure opaque in OpenSSL 1.1.0?

It was an omission that is fixed in the latest dev version of OpenSSL
1.1.0. See this commit:

https://github.com/openssl/openssl/commit/6912debb881e669f7a7fb621588e20347111c4f0

This will be in 1.1.0i when it gets released (no released date as yet).

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users