Jean-Marc Desperrier wrote:
>
> I have some code that I could use to verify certificate, and that's not
> able to do it anymore when compiled with 0.9.6
>
> I traced this to the following line (330) in the file by_dir.c
> This line has been changed from 0.9.5 to 0.9.6.
> I think the last argument in the call to sk_X509_OBJECT_value should be
> j instead of I.
> The check works for me again with the following change.
>
> CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
> j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
> - if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,i);
> + if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
> else tmp = NULL;
> CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
>
Urgh, yes that is a bug.
> What I don't get is why this bug does not appear when using "opensssl
> -verify" or in the tests ?
>
This is because it uses a different technique for looking up multiple
matches in the store. It uses the normal lookup to prime the cache then
searches through the cache itself, as such the returned certificate from
the X509_LOOKUP_*() code isn't used.
> I make the verification using a call to X509_verify_cert.
> When the call returns, they are some errors left in the error stack from
> a call to check_issued to check if the check is self-signed or not.
> Is this a normal behaviour ?
>
That shouldn't happen unless you set the X509_V_FLAG_CB_ISSUER_CHECK
flag. What specific error are you getting?
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
