[Pkg-openssl-devel] Bug#829272: [openssl.org #4602] Missing accessors
Mischa Salle
msalle at nikhef.nl
Mon Jul 25 11:31:56 UTC 2016
On Sat, Jul 23, 2016 at 09:44:18AM +0000, Richard Levitte via RT wrote:
> To get current_cert, it's X509_STORE_CTX_get_current_cert().
> To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()
Hi Richard,
yes, those I know, but the problem is the *setting* of the failing cert.
Since we need to walk the whole chain for the proxy pathlength
verification, we need to be able to indicate which cert is failing. See
e.g.
https://github.com/globus/globus-toolkit/blob/globus_6_branch/gsi/callback/source/library/globus_gsi_callback.c#L1691
and further, in particular line 1731.
VOMS is basically using the same code
https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c#L2236
and further, in particular line 2255.
Jan Just also sets the current_issuer in his grid-proxy-verify.c,
http://www.nikhef.nl/~janjust/proxy-verify/
line 346, but I'm not sure that's necessary.
Mischa
>
> Those functions are already present in pre-1.1 OpenSSL (at least in the 1.0.2
> series)
>
> On Fri Jul 22 15:51:16 2016, msalle at nikhef.nl wrote:
> > Hi,
> >
> > unless I didn't look careful enough I think we might still be missing
> > the current_cert (and current_issuer) from the X509_STORE_CTX, as
> > advertised in
> >
> https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
> > and used in e.g.
> > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c
> > and many other places for verifying the proxy chain or is there a
> > better/other solution for that?
> >
> > Best wishes,
> > Mischa
> >
> > On Fri, Jul 22, 2016 at 03:26:26PM +0000, Richard Levitte via RT
> > wrote:
> > > In addition to github PR 1294, there's now also PR 1339 which adds
> > > the function to set the EXFLAG_PROXY flag on a given certificate.
> > >
> > > Also, PR 1295 has been updated. Instead of a function that returns a
> > > lock, there is now a lock and an unlock function.
> > >
> > > To me, it seems that that covers what's being asked for. Perhaps not
> > > exactly (the setters are for X509_STORE only), but should be
> > > workable.
> > >
> > > (writing this from my mobile, sorry for the lack of github links)
> > >
> > > --
> > > Richard Levitte
> > > levitte at openssl.org
> > > --
> > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
> > > Please log in as guest with password guest if prompted
> > >
> > > --
> > > To unsubscribe, send mail to 829272-unsubscribe at bugs.debian.org.
>
>
> --
> Richard Levitte
> levitte at openssl.org
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
> Please log in as guest with password guest if prompted
>
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3382 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20160725/33d369d7/attachment-0001.bin>
More information about the Pkg-openssl-devel
mailing list