[openssl][uwp] SSL_CTX_load_verify_locations not working for UWP port

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl][uwp] SSL_CTX_load_verify_locations not working for UWP port

Feng LI

SSL_CTX_load_verify_locations is required for UWP port to load ca file since OpenSSL will not use the CA of the OS.

But in UWP build, stdio is disabled by default. However, SSL_CTX_load_verify_locations relies on the default X509_STORE file lookup functionality uses stdio (via BIO_s_file). That basically means no verification of peers and hosts is possible with OpenSSL on UWP port.

Is there a way to fix this or if there's a workaround for UWP ?


Thanks,

Feng
Reply | Threaded
Open this post in threaded view
|

Re: [openssl][uwp] SSL_CTX_load_verify_locations not working for UWP port

Matt Caswell-2


On 05/06/2020 02:04, Feng LI wrote:

> SSL_CTX_load_verify_locations
> <https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html> is
> required for UWP port to load ca file since OpenSSL will not use the CA
> of the OS.
>
> But in UWP build, stdio is disabled
> <https://github.com/openssl/openssl/blob/082c041b4233b17b80129d4ac6b33a28014442b0/Configurations/50-win-onecore.conf#L113> by
> default. However, SSL_CTX_load_verify_locations relies on the default
> X509_STORE file lookup functionality uses stdio (via BIO_s_file). That
> basically means no verification of peers and hosts is possible with
> OpenSSL on UWP port.
>
> Is there a way to fix this or if there's a workaround for UWP ?

If you can't use the file or dir lookup capabilities then you will have
to lookup certs/crls in some other way. There are two possible options
that spring to mind:

1) Implement a custom OSSL_STORE_LOADER (this is probably only viable
for OpenSSL 3.0)

You can implement a custom OSSL_STORE_LOADER via OSSL_STORE_LOADER_new

https://www.openssl.org/docs/manmaster/man3/OSSL_STORE_LOADER_new.html

You will then need to implement the various functions to find and load
the required CA certificates. Perhaps Richard Levitte might comment on
how to do that.

Once you have a custom OSSL_STORE_LOADER you will need to register it
via OSSL_STORE_register_loader() (also documented on the same man page
above).

Finally, you can set your SSL_CTX to use the store via
SSL_CTX_load_verify_store():

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_store.html


2) Implement a custom X509_LOOKUP_METHOD

The file and dir lookup methods that SSL_CTX_load_verify_locations uses
are just the built-in ones. It's entirely possible to create your own.
Creating a custom X509_LOOKUP_METHOD involves creating the method via a
call to X509_LOOKUP_meth_new(). You will then need to additionally set
functions to get certs/crls via the different mechanisms, e.g.
X509_LOOKUP_meth_set_get_by_subject(),
X509_LOOKUP_meth_set_get_by_issuer_serial(),
X509_LOOKUP_meth_set_get_by_fingerprint(),
X509_LOOKUP_meth_set_get_by_alias().

Probably you can get away with just implementing the "get_by_subject"
function as a minimal set. The X509_LOOKUP_METHOD functions are
documented here:

https://www.openssl.org/docs/manmaster/man3/X509_LOOKUP_meth_new.html

Once you have a custom X509_LOOKUP_METHOD then you can add it to your
X509_STORE via X509_STORE_add_lookup():

https://www.openssl.org/docs/manmaster/man3/X509_STORE_add_lookup.html

To get the X509_STORE associated with your SSL_CTX you can use
SSL_CTX_get_cert_store():

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_cert_store.html

Hope, that helps.

Matt


Reply | Threaded
Open this post in threaded view
|

Re: [openssl][uwp] SSL_CTX_load_verify_locations not working for UWP port

Richard Levitte - VMS Whacker-2
In reply to this post by Feng LI
On Fri, 05 Jun 2020 03:04:47 +0200,
Feng LI wrote:
> SSL_CTX_load_verify_locations is required for UWP port to load ca file since OpenSSL will not use
> the CA of the OS.
>
> But in UWP build, stdio is disabled by default. However, SSL_CTX_load_verify_locations relies on
> the default X509_STORE file lookup functionality uses stdio (via BIO_s_file). That basically means
> no verification of peers and hosts is possible with OpenSSL on UWP port.
>
> Is there a way to fix this or if there's a workaround for UWP ?

It should be enough to use BIO_s_fd() instead of BIO_s_file() (it
takes a bit more than a mere change of function name, OpenSSL's file
descriptor isn't quite designed for use with files, unfortunately).

That is, with the assumption that POSIX file descriptors can be used
at all with UWP...  otherwise, someone will have to come up with a BIO
method that supports whatever file API that UWP supports.

Cheers,
Richard

--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/