[Pkg-openssl-devel] Bug#829272: Missing accessors
Mattias Ellert via RT
rt at openssl.org
Mon Jul 11 13:08:32 UTC 2016
fre 2016-07-08 klockan 06:08 +0000 skrev Richard Levitte via RT:
> On Thu Jul 07 21:29:09 2016, levitte wrote:
> > On Sat Jul 02 10:59:38 2016, kurt at roeckx.be wrote:
> > > /* Add to include/openssl/x509_vfy.h : */
> > >
> > > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer,
> > > X509_STORE_CTX
> > > *ctx, X509 *x);
> > > typedef int (*X509_STORE_CTX_check_issued)(X509_STORE_CTX *ctx,
> > > X509
> > > *x, X509 *issuer);
> > >
> > > void X509_STORE_CTX_set_get_issuer(X509_STORE_CTX *ctx,
> > > X509_STORE_CTX_get_issuer
> > > get_issuer);
> > > X509_STORE_CTX_get_issuer
> > > X509_STORE_CTX_get_get_issuer(X509_STORE_CTX
> > > *ctx);
> > > void X509_STORE_CTX_set_check_issued(X509_STORE_CTX *ctx,
> > > X509_STORE_CTX_check_issued
> > > check_issued);
> > > X509_STORE_CTX_check_issued
> > > X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx);
> >
> > For this part, https://github.com/openssl/openssl/pull/1294
>
> So, looking at this again after some sleep, there's a part of this
> solution
> that I'm unsure of, and it all comes back to X509_STORE_CTX_init(),
> where the
> X509_STORE context gets initialised from the X509_STORE, including
> all the
> function pointers. This has me wonder if the X509_STORE_CTX setters
> should
> really be made available (perhaps with the exception of the verify
> and
> verify_cb ones). Doesn't it make more sense to set those function
> pointers when
> creating the X509_STORE itself? Why would those functions need to be
> changed in
> the context?
>
> Cheers,
> Richard
>
> --
> Richard Levitte
> levitte at openssl.org
>
Looking at the various places in the code where get_issuer
and check_issued are accessed, they mostly use the context rather than
the store. Here are the places I have found:
https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71
https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581
https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588
https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367
https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059
https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997
And the following one actually uses the store and not the context:
https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448
Mattias
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5032 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20160711/c275eb5a/attachment-0001.bin>
More information about the Pkg-openssl-devel
mailing list