[Pkg-openssl-devel] Bug#829272: Missing accessors
Richard Levitte via RT
rt at openssl.org
Mon Jul 25 11:46:50 UTC 2016
On Mon Jul 25 11:32:17 2016, msalle at nikhef.nl wrote:
> On Sat, Jul 23, 2016 at 09:44:18AM +0000, Richard Levitte via RT
> wrote:
> > To get current_cert, it's X509_STORE_CTX_get_current_cert().
> > To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()
>
> Hi Richard,
>
> yes, those I know, but the problem is the *setting* of the failing
> cert.
> Since we need to walk the whole chain for the proxy pathlength
> verification, we need to be able to indicate which cert is failing.
> See
> e.g.
> https://github.com/globus/globus-
>
toolkit/blob/globus_6_branch/gsi/callback/source/library/globus_gsi_callback.c#L1691
> and further, in particular line 1731.
> VOMS is basically using the same code
> https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c#L2236
> and further, in particular line 2255.
Is that code to cope with pathlen checking bugs? That's what it looks to me. In
that case, it might no longer be needed with OpenSSL 1.1, along with some other
stuff (the subject checking stuff comes to mind). Quite frankly, I think the
grid source needs a good and hard look over, quite a bit of it shouldn't be
needed any more. The exception is recognising pre-3820 proxy certs.
> Jan Just also sets the current_issuer in his grid-proxy-verify.c,
> http://www.nikhef.nl/~janjust/proxy-verify/
> line 346, but I'm not sure that's necessary.
> Mischa
>
> >
> > Those functions are already present in pre-1.1 OpenSSL (at least in
> > the 1.0.2
> > series)
> >
> > On Fri Jul 22 15:51:16 2016, msalle at nikhef.nl wrote:
> > > Hi,
> > >
> > > unless I didn't look careful enough I think we might still be
> > > missing
> > > the current_cert (and current_issuer) from the X509_STORE_CTX, as
> > > advertised in
> > >
> >
https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
> > > and used in e.g.
> > > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c
> > > and many other places for verifying the proxy chain or is there a
> > > better/other solution for that?
> > >
> > > Best wishes,
> > > Mischa
> > >
> > > On Fri, Jul 22, 2016 at 03:26:26PM +0000, Richard Levitte via RT
> > > wrote:
> > > > In addition to github PR 1294, there's now also PR 1339 which
> > > > adds
> > > > the function to set the EXFLAG_PROXY flag on a given certificate.
> > > >
> > > > Also, PR 1295 has been updated. Instead of a function that
> > > > returns a
> > > > lock, there is now a lock and an unlock function.
> > > >
> > > > To me, it seems that that covers what's being asked for. Perhaps
> > > > not
> > > > exactly (the setters are for X509_STORE only), but should be
> > > > workable.
> > > >
> > > > (writing this from my mobile, sorry for the lack of github links)
> > > >
> > > > --
> > > > Richard Levitte
> > > > levitte at openssl.org
> > > > --
> > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
> > > > Please log in as guest with password guest if prompted
> > > >
> > > > --
> > > > To unsubscribe, send mail to 829272-unsubscribe at bugs.debian.org.
> >
> >
> > --
> > Richard Levitte
> > levitte at openssl.org
> >
> > --
> > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
> > Please log in as guest with password guest if prompted
> >
--
Richard Levitte
levitte at openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
More information about the Pkg-openssl-devel
mailing list