On Tue, Feb 18, 2014 at 5:00 PM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote:
> On 18/02/2014 20:06, Jeff Trawick wrote: > > On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson < > shen...@opensslfoundation.com > > <mailto:shen...@opensslfoundation.com>> wrote: > > > > On 02/02/2014 13:45, Kaspar Brand wrote: > > > On 01.02.2014 14:37, Dr Stephen Henson wrote: > > >> I'm wondering how that could be avoided. Would a way to enumerate > all > > >> certificates in an SSL_CTX structure in OpenSSL help? Something > like > > >> SSL_CTX_get0_first_certificate() and > SSL_CTX_get0_next_certificate(). > > That would > > >> also set the current certificate at the same time in case > applications > > wanted to > > >> inspect the private key or chain. > > > > > > Yes, this sounds like a useful extension - not only for the issue > at > > > hand (i.e. SSL_CONF and stapling initialisation), but as a general > > > mechanism for retrieving all certificates of an SSL_CTX. > > > > > > > Added now. The API is slightly different, but easy enough to use. > > > > To iterate over all certificates in an SSL_CTX something like this > will do the > > trick: > > > > X509 *x; > > int rv; > > rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); > > while (rv) > > { > > X509 *x = SSL_CTX_get0_certificate(ctx); > > rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT); > > } > > > > Steve. > > > > > > Is the leaf certificate always first? (And/or maybe it is up to how the > admin > > configures it and it only works if the leaf is first?) > > > > The APIs work this way with the OpenSSL 1.0.2 branch now? > > > > TIA! > > > > An SSL_CTX can have multiple server certificates associated with it > and the one used depends on the ciphersuite negotiated by the client. > Thanks, I had forgotten about that! > > The certificate you get from SSL_CTX_get0_certificate is the server > certificate > which will always be a leaf certificate. You need different APIs to get > the rest > of the chain (assuming one has been configured). > I think this is the trick... + rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); + while (rc) { + x = SSL_CTX_get0_certificate(ctx); + if (x) { + chain = NULL; + SSL_CTX_get0_chain_certs(ctx, &chain); + if (chain) { + for (i = 0; i < sk_X509_num(chain); i++) { + X509 *x = sk_X509_value(chain, i); + /* do something */ + } + } + } + rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT); + } I'm working on Certificate Transparency support for httpd; as part of submitting server certs with any necessary intermediate certs to CT logs I wanted to extract them straight from the SSL_CTX so that it didn't matter how exactly they got there/were configured. Thanks again... > Steve. > -- > Dr Stephen Henson. OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > +1 877-673-6775 > shen...@opensslfoundation.com > -- Born in Roswell... married an alien... http://emptyhammock.com/
