Re: SSL_CTX_load_verify_locations and X509_STORE

[Richard Levitte - VMS Whacker]

Roger.Boden> I store all accepted CA-certificates of peer certificates
Roger.Boden> in one file and use SSL_CTX_load_verify_locations to load
Roger.Boden> the certificate into my SSL_CTX. Mostly out of curiosity,
Roger.Boden> how is the path argument intended to be used?

As I understand it, OpenSSL will make a 32-bit hash (using
X509_NAME_hash()) from the certificate to verify, make that into a hex
string, append a period and the a number, and use the result as a file
name to look for in the CA path.  Also, it will prepend a "r" before
the serial number and use that as a file name for a CRL entry for that
certificate.  The result is cached, to be used in case the file is no
longer in the path.

The source where this happens is crypto/x509/by_dir.c

Ah, yeah, how to create those hash named files: there's c_rehash (in
tools, but IIRC it gets installed) which will take a serie of
directories as arguments, and will create correctly named (with serial
number 0) soft links to all .pem files it can find in those
directories.

Roger.Boden> SSL_CTX_load_verify_locations returns true regardless of
Roger.Boden> whether any certs were loaded. How can I determine the
Roger.Boden> result of SSL_CTX_load_verify_locations().

All that does is call X509_STORE_load_locations for you, using the
SSL_CTX store.  What does that do?  It will load load whatever CAfile
you give it, and whatever CApath you give it.  It will return 0 if
there was some memory allocation, if the file given as CAfile didn't
exist, if the directory given as CApath was badly formated (no, it
doesn't check for the existence of that directory) or if CAfile and
CApath were both NULL.  In all other cases, 1 is returned.

Roger.Boden> I also want to access the loaded certs. They seem to be
Roger.Boden> stored in the X509_STORE* cert_store variable of the
Roger.Boden> SSL_CTX. How do I get hold of the X509 structs?

SSL_CTX_get_cert_store(ctx) ?

-- 
Richard Levitte   \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-161 43  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis             -- [EMAIL PROTECTED]

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]