On 2009.06.04 at 21:31:19 -0400, David Michael wrote: > Hi, > > A certain daemon I am building requires root certificates to have > hash links in order to find them. My target OS provides a multi-cert > PEM with just about every common root cert out there, so I prefer to > have the hash links pointing directly at this. > The rehash scripts will only link the PEM to the hash value of the > first cert in it. I have implemented the ability to handle multi-cert > hash links in scripts for the time being, but I would like to see it > upstream so there is one less patch/script people would have to use to > setup this project (and others, I'm sure). > > If this change could be accepted into the project, I can write the > code myself in C, Perl, shell, or anything else if need be. Attached > is a quick patch to the Perl c_rehash script to show what > functionality I am requesting.
I think you are missing something with this idea. OpenSSL now provides two X509_LOOKUP_METHODS - lookup_file and lookup_hashed_dir. First one requires big multi-cert file with concatenated PEM certificates - exactly as your OS provided, I suppose. Second requires hashed dir with individual certs and CRLs one per file. And it is done for good reason: If you use lookup_file method, it loads entire file into memory. And this file can be quite big, if you use CRL checks and have big public CAs in your trusted certificate set - big public CA can have multimegabyte CRLs. If you use lookup_dir method, OpenSSL would load only certificates and CRLs when needed, one per time, and thus potentially save you much space. Allowing to put multicertificate file into hashed dir would defeat benefits of lookup_dir method. Although it would work. It is better to fix your daemon so it would allow both files and hashed directories as trusted certificate store. It should be simple - both SSL_CTX_load_verify_locations (which should be used for SSL peer certificate validation) and X509_STORE_load_locations (which should be used for SMIME, timestamping and outher non-SSL uses) accept two arguments - name of file and name of directory. If your daemon uses default cert store location, than corresponding X509_STORE_set_default_paths function supports file and dir too. In this case you probably do not need to change code. You just have to either set environment variable SSL_CERT_FILE pointing to you multicert file, or make symlink pointing to this file named cert.pem in your OPENSSLDIR (run openssl version -d to determine where your OPENSSL dir is). ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
