[Pkg-openssl-devel] Bug#829272: Missing accessors

Mon Jul 25 14:28:04 UTC 2016

On Mon Jul 25 12:39:43 2016, msalle at nikhef.nl wrote:
> Hi Richard,
>
> On Mon, Jul 25, 2016 at 11:46:50AM +0000, Richard Levitte via RT
> wrote:
> > Is that code to cope with pathlen checking bugs? That's what it looks
> > to me. In
> > that case, it might no longer be needed with OpenSSL 1.1, along with
> > some other
> > stuff (the subject checking stuff comes to mind). Quite frankly, I
> > think the
> > grid source needs a good and hard look over, quite a bit of it
> > shouldn't be
> > needed any more. The exception is recognising pre-3820 proxy certs.
> Yes it is, and although it's true that it's probably not needed for
> RFC3820 proxy certs (although I haven't checked that) but we will need
> to be able to verify GT3 proxies and we will need to be able to do the
> whole chain verification there with the callback...

Why do you need to do that? That sounds like your duplicating what's already
being done for reasons I cannot fathom.

BUT... I'm realising that when you do recognise a GT3 proxy (I think I've seen
check_issued functions being used for that), there's no way for external code
to set the proxy path length for the certificate in question. While that's fine
for GT2 proxies (there's no pc path length there that I can see), it does need
to be properly set for GT3 proxies.

For the rest, though, I don't quite see why you'd need to check that path
length *again* in the verification callback. The verification callback is meant
to be used for the certification currently being checked, and should return 0
or 1, depending on if you want the current certificate to verify to to fail.
That's it.

The remaining thing to check, as far as I understand, is proxy policy. The
X509_STORE_CTX ex_data is the place to accumulate data in to make sure policy
continues to be valid thoughout the verification process.

What, in all this, am I missing?

>
> Mischa
>
> > > Jan Just also sets the current_issuer in his grid-proxy-verify.c,
> > > http://www.nikhef.nl/~janjust/proxy-verify/
> > > line 346, but I'm not sure that's necessary.
> >
> > > Mischa
> > >
> > > >
> > > > Those functions are already present in pre-1.1 OpenSSL (at least
> > > > in
> > > > the 1.0.2
> > > > series)
> > > >
> > > > On Fri Jul 22 15:51:16 2016, msalle at nikhef.nl wrote:
> > > > > Hi,
> > > > >
> > > > > unless I didn't look careful enough I think we might still be
> > > > > missing
> > > > > the current_cert (and current_issuer) from the X509_STORE_CTX,
> > > > > as
> > > > > advertised in
> > > > >
> > > >
> >
https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
> > > > > and used in e.g.
> > > > >
https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c
> > > > > and many other places for verifying the proxy chain or is there
> > > > > a
> > > > > better/other solution for that?
> > > > >
> > > > > Best wishes,
> > > > > Mischa
> > > > >
> > > > > On Fri, Jul 22, 2016 at 03:26:26PM +0000, Richard Levitte via
> > > > > RT
> > > > > wrote:
> > > > > > In addition to github PR 1294, there's now also PR 1339 which
> > > > > > adds
> > > > > > the function to set the EXFLAG_PROXY flag on a given
> > > > > > certificate.
> > > > > >
> > > > > > Also, PR 1295 has been updated. Instead of a function that
> > > > > > returns a
> > > > > > lock, there is now a lock and an unlock function.
> > > > > >
> > > > > > To me, it seems that that covers what's being asked for.
> > > > > > Perhaps
> > > > > > not
> > > > > > exactly (the setters are for X509_STORE only), but should be
> > > > > > workable.
> > > > > >
> > > > > > (writing this from my mobile, sorry for the lack of github
> > > > > > links)
> > > > > >
> > > > > > --
> > > > > > Richard Levitte
> > > > > > levitte at openssl.org
> > > > > > --
> > > > > > Ticket here:
> > > > > > http://rt.openssl.org/Ticket/Display.html?id=4602
> > > > > > Please log in as guest with password guest if prompted
> > > > > >
> > > > > > --
> > > > > > To unsubscribe, send mail to 829272-
> > > > > > unsubscribe at bugs.debian.org.
> > > >
> > > >
> > > > --
> > > > Richard Levitte
> > > > levitte at openssl.org
> > > >
> > > > --
> > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
> > > > Please log in as guest with password guest if prompted
> > > >
> >
> >
> > --
> > Richard Levitte
> > levitte at openssl.org
> >
> > --
> > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
> > Please log in as guest with password guest if prompted
> >

--
Richard Levitte
levitte at openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted