OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

Stephan Mühlstrasser
Hi,

while porting from OpenSSL 1.0.2. to OpenSSL 1.1.0 I ran into the
following problem:

With OpenSSL 1.0.2. I plugged into the certificate verification
mechanism in order to capture the X509_CRL that was used to validate a
certificate. The original function pointer stored in the cert_crl member
of a X509_STORE_CTX structure was saved, and another function was
assigned to the cert_crl member that called the saved original cert_crl
function and then performed additional operations with the X509_CRL
structure.

It looks like in OpenSSL 1.1.0 I can no longer do that. There are only
functions available that return various function pointers from a
X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there
are no corresponding counterparts to set the function pointers.

Is this intentional, or is this an omission in OpenSSL 1.1.0? If this is
intentional, how could I reproduce the funtionality without having to
duplicate the code in the static cert_crl() function in x509_vfy.c?

Thanks
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

OpenSSL - User mailing list
    It looks like in OpenSSL 1.1.0 I can no longer do that. There are only
    functions available that return various function pointers from a
    X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there
    are no corresponding counterparts to set the function pointers.

This could be viewed as a bug; we had no idea people wanted to *set* various fields.  WE consider missing accessors/setters in opaque datatypes a bug.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

Stephan Mühlstrasser
Am 15.06.18 um 16:36 schrieb Salz, Rich via openssl-users:
>      It looks like in OpenSSL 1.1.0 I can no longer do that. There are only
>      functions available that return various function pointers from a
>      X509_STORE_CTX structure (like X509_STORE_CTX_get_cert_crl), but there
>      are no corresponding counterparts to set the function pointers.
>
> This could be viewed as a bug; we had no idea people wanted to *set* various fields.  WE consider missing accessors/setters in opaque datatypes a bug.

I found the following awkward workaround: I set up a temporary
X509_STORE_CTX object only for the purpose of getting the original
X509_STORE_CTX_cert_crl_fn function pointer that I save somewhere. Then
I call X509_STORE_set_cert_crl to assign my own cert_crl function, from
which later X509_STORE_CTXs created for the X509_STORE will inherit it.

This is the code (minus error checking):

X509_STORE *my_store = X509_STORE_new();
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
X509_STORE_CTX_init(ctx, NULL, NULL, NULL);
X509_STORE_CTX_cert_crl_fn original_cert_crl =
X509_STORE_CTX_get_cert_crl(ctx);
X509_STORE_set_cert_crl(my_store, my_own_cert_crl);
X509_STORE_CTX_free(ctx);

Should I file an issue on GitHub about the missing setters?

Thanks
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

OpenSSL - User mailing list
>    Should I file an issue on GitHub about the missing setters?
 
That would be great, thanks.  Glad you got something to work.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL 1.1.0: No X509_STORE_CTX_set_cert_crl() function?

Stephan Mühlstrasser
Am 15.06.18 um 16:55 schrieb Salz, Rich via openssl-users:
>>     Should I file an issue on GitHub about the missing setters?
>    
> That would be great, thanks.  Glad you got something to work.
>

Submitte new OpenSSL issue #6505:

https://github.com/openssl/openssl/issues/6505

--
Stephan
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users