Niklas Hallqvist wrote:
>
> Hi!
>
> A group overhere is designing a new X509_LOOKUP method for getting
> certificates out of DNS, as a part of a bigger project which wants to
> encourage deployment of DNSSEC.
>
> All is well, we have working code already, if only the subject name by
> which we lookup are built up according to RFC2247. However, as can be
> read in RFC2538, there are other preferred ways of looking
> certificates up, all looking at X509v3's subject alternative name
> extensions instead. The current OpenSSL API does not support lookup
> up by the subjectAltName, so I would like to implement that. I can
> see two ways:
>
> * Just change the specification of X509_LOOKUP_by_subject to mean
> lookup by the subject name *or by a subject alternative name. Which
> ones, and in which order to be tried, is chosen at the
> X509_LOOKUP_METHOD's discretion.
>
> * Provide a new function member in the X509_LOOKUP_METHOD that is
> named get_by_subjectAltName, or similar.
>
> What do you guys recommend? The former is the easiest one, as from
> what I can see, there is no official documentation or specification of
> this part of the API :-) I would rather go that way.
>
Well there are fundamental problems in the way X509_LOOKUP and
X509_STORE operate.
One of the worst problems is not being able to retrieve multiple
matching certificates for given criteria.
Another, as you've noticed, is not being able to handle lookups by non
standard attributes without hacking the structure.
The standard X509_LOOKUPs only support lookup by subject name and the
directory method doesn't even work on platforms without symbolic links.
Thats just the surface problems: once you start looking at the
X509_STORE internals things get much worse. There's one point where a
function expects to be able to find a certificate as an internal pointer
that will never need freeing up.
I only mentioned certificates above. There is partial support for CRLs
but it doesn't work properly and there's some private key stuff which
will bomb out if an attempt is made to use it.
It really wants completely ripping out and replacing with a proper
certificate database API. Its something I've been meaning to do for a
while but I've never found the time to do it completely. Things of
higher priority keep cropping up.
As for what to do... well you could try allowing access to it via 'ctrl'
for now, but whatever you do it may need to be redone if/when
X509_LOOKUP is finally blown away.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
