I've implemented my own X509_STORE lookup functions.
The problem I'm having is that the store contains cert A which is being
returned when I lookup
cert B because they both have the same Common Name.
Is there a way to tell the store to look up via thumbprint rather than
Common Name?
I have
> On Sep 18, 2018, at 1:04 PM, Viktor Dukhovni
> wrote:
>
> That depends on whether setting the cert_store element was done properly (in
> a way
> that incremented the reference count) or not. See the documentation of:
>
> SSL_CTX_set1_cert_store(3)
> SSL_CTX_set_cert_store(3)
> On Sep 18, 2018, at 12:30 PM, Maxwell Dreytser wrote:
>
>> X509_STORE_free() decrements a reference count, and frees the object only
>> when the count reaches zero.
>>
> Was this behavior the same in older versions?
Yes.
> If so, then there is no reason to clear cert_store even in older
> On Sep 18, 2018, at 12:12 PM, ad...@mdtech.us wrote:
>
> I have some legacy code that I am updating for 1.1 and there they set
> SSL_CTX::cert_store to NULL before `SSL_CTX_free`. Is this neccessary for the
> X509_STORE to be shared between contexts?
> Note t
Hello,
I have some legacy code that I am updating for 1.1 and there they set
SSL_CTX::cert_store to NULL before `SSL_CTX_free`. Is this neccessary
for the X509_STORE to be shared between contexts?
Note that this still has to be buildable on 1.0 with the same result.
In the docs it says
> On Aug 17, 2018, at 10:52 PM, Daurnimator wrote:
>
> I understand the current design; but I'm left wondering why it has an
> additional store member when VERIFY_PARAMS has the field there
> already.
> The design would seem to be much cleaner if all criteria for
> verification are taken from
On 18 August 2018 at 03:18, Viktor Dukhovni wrote:
> On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote:
>
>> > When looking into https://github.com/wahern/luaossl/issues/140 I was
>> > surprised to learn that an SSL_CTX* (and SSL*) does not use many of
>
On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote:
> > When looking into https://github.com/wahern/luaossl/issues/140 I was
> > surprised to learn that an SSL_CTX* (and SSL*) does not use many of
> > the X509_STORE members.
There are no plans to change the de
On 12 July 2018 at 18:49, Daurnimator wrote:
> When looking into https://github.com/wahern/luaossl/issues/140 I was
> surprised to learn that an SSL_CTX* (and SSL*) does not use many of
> the X509_STORE members.
>
> e.g. a store has a X509_VERIFY_PARAMS field, however although an
When looking into https://github.com/wahern/luaossl/issues/140 I was
surprised to learn that an SSL_CTX* (and SSL*) does not use many of
the X509_STORE members.
e.g. a store has a X509_VERIFY_PARAMS field, however although an
SSL_CTX* has a related store, it ignores the store's params and uses
On 12/06/18 10:58, Stephan Mühlstrasser wrote:
> In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx"
> member of the X509_LOOKUP structure was directly accessible. But in
> OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can
> see th
KUP_METHOD structure is
overridden:
int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
char **ret);
For this approach it is necessary to retrieve the X509_STORE context
pointer from a X509_LOOKUP pointer passed to the function called via the
X509_LOOKUP.ctr
On 13/11/2017 14:53, Steven Logan via openssl-users wrote:
Hi,
We have an embedded device which will be loaded with a public key for
validating data signatures. We identify this key by means of its SHA-1
fingerprint; to do this we have implemented a custom X509_LOOKUP_METHOD.
The lookup,
Hi,
We have an embedded device which will be loaded with a public key for
validating data signatures. We identify this key by means of its SHA-1
fingerprint; to do this we have implemented a custom X509_LOOKUP_METHOD.
The lookup, performed via X509_LOOKUP_by_fingerprint works great, that is
in a
single |X509_STORE|. Basically, when certificate is received from a
client, I create new |X509_STORE_CTX|, initialize it with a single (say,
global) |X509_STORE|, and feed a worker thread with a checking routine
which calls |X509_verify_cert|.
The question is, does this kind of thread-sharing
Objects are copied and ref-counted when an SSL is created from an SSL_CTX...
To me this seems is only half-true. In SSL_new() we see that only the own certificate/key gets duplicated with ssl_cert_dup(ctx-cert), as for the trusted stuff in X509_STORE only the pointer is copied.
Inside
Is it safe to have a thread reload trusted certificates and crls into a
SSL_CTX's X509_STORE while connections are running in other threads,
especially when considering renegotiations?
As a general rule, multi-thread simultaneous access doesn't work and will often
make things go ka-boom
Hello All,
Is it safe to have a thread reload trusted certificates and crls into a SSL_CTXs X509_STORE while connections are running in other threads, especially when considering renegotiations?
The idea would be to replace the instance of X509_STORE with a new one or is there a better way
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
ok, i have a crash in CMS_verify that suggests i'm not
setting up the store of CAs properly, or i may have made
an error setting up the CA. what should i be looking at
with this error?
(gdb) bt
#0 0x77909b6c in X509_STORE_get_by_subject ()
an associated aux
field of OpenSSL-added data including (optionally?) some trust settings.
There are too many twisty passages for me to track down exactly what values
can be in here, and what if any does what you want.
2. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see
any
Hi,
X509_STORE_add_cert() adds certificate to the trusted store. Is there a
function to remove this added certificate from this store? Can anybody
respond pls.
Thank-you,
Sri
. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see
any official API, but you could just grab x-objs and sk_*_delete from it.
You probably need to do downref/free to avoid a leak, and to do locking
if your program(s) will or might use this while multithreading.
3. If you want
Hi,
X509_STORE_add_cert() would add a certificate to the list of trusted
certificates in the ctx. What is the way to remove a certificate from this
trusted store? Am not finding any function to remove the certificate. Can
anyone of you suggest a way to remove the certificate from this trusted
Hi,
X509_STORE_add_cert() would add a certificate to the list of trusted
certificates in the ctx. What is the way to remove a certificate from this
trusted store? Am not finding any function to remove the certificate. Can
anyone of you suggest a way to remove the certificate from this trusted
. Stephen Henson st...@openssl.org
On Thu, Nov 04, 2010, fatma sarhan wrote:
Hi,
I want to copy an x509_store variable in another one which have the same
type (x509_store).
is there a method like (memcpy in c++) which can copy from x509_store to
x509_store? Or, how we can define
Hi,
I want to copy an x509_store variable in another one which have the same
type (x509_store).
is there a method like (memcpy in c++) which can copy from x509_store to
x509_store? Or, how we can define the size of the struct x509_store to use
the function memcpy(x509_stor * x, x509_store * y
I want to copy an x509_store variable in another one which have the same
type (x509_store).
is there a method like (memcpy in c++) which can copy from x509_store to
x509_store? Or, how we can define the size of the struct x509_store to use
the function memcpy(x509_stor * x, x509_store * y
On Thu, Nov 04, 2010, fatma sarhan wrote:
Hi,
I want to copy an x509_store variable in another one which have the same
type (x509_store).
is there a method like (memcpy in c++) which can copy from x509_store to
x509_store? Or, how we can define the size of the struct x509_store to use
Hi,
I want to copy an x509_store variable in another one which have the same
type (x509_store).
is there a method like (memcopy in c++) which copy from x509_store to
x509_store?
Thanks.
--
Amicalement
Fatma
Hi,
What is the function to use to clear any error in X509_STORE_CTX
Thanks,
Arun
Can I reuse an X509_STORE for multiple ssl connections, cert verifications
etc, or should I create a fresh one for each operation? If I reuse it will it
continue to grow as it pulls in more certificates?
--
Chris Bare
ch...@bareflix.com
prompt = no\n;
print TMP \n;
print TMP [ req_distinguished_name ]\n;
print TMP CN = ARAN CA\n;
print TMP \n;
close TMP;
}
best regards
Date: Tue, 24 Feb 2009 08:34:54 +0100
Subject: Re: what it is X509_STORE ?
From: toondel...@gmail.com
To: openssl-users@openssl.org
distinguished_name = req_distinguished_name\n;
print TMP prompt = no\n;
print TMP \n;
print TMP [ req_distinguished_name ]\n;
print TMP CN = ARAN CA\n;
print TMP \n;
close TMP;
}
best regards
Date: Tue, 24 Feb 2009 08:34:54 +0100
Subject: Re: what it is X509_STORE
\n;
print TMP prompt = no\n;
print TMP \n;
print TMP [ req_distinguished_name ]\n;
print TMP CN = ARAN CA\n;
print TMP \n;
close TMP;
}
best regards
Date: Tue, 24 Feb 2009 08:34:54 +0100
Subject: Re: what it is X509_STORE ?
From: toondel...@gmail.com
hello
i try create a X509 certificate for a CA and certificates signed by the CA ,
and i want to check it (verify it) , somebody tell me what it is X509_STORE ?
thanks.
_
Découvrez Windows Live Spaces et créez votre site Web perso
It is a certificate memory store where you should put your
certificates (CA, root etc..) of your trusted path that are needed by
your application for signature verifycation. Thjis is also the place
you will put your CRL.
Have a look at X509_STORE _xxx and X509_load_xxx. functions. You
might also
_issuer_name to cause segmentation fault as
well.
Other comments:
- Use SSL_CTX_get_cert_store(ctx) to get the X509_STORE from SSL_CTX
instead.
- X509_name_oneline is discouraged, according to the documentation.
This is a minor thing though...
--- Kah
2008/6/13 BRACHET
Hi,
I am using gSOAP which use openssl.
I establish a connexion to a server using TLS, and I wanted to get the Name
of the Server certificate.
I can access to a X509_STORE trough ctx-cert_store.
But I don't find how to get the Server certificate.
I found the X509_STORE_CTX_get_current_cert(store
Hello,
I'd like to know the difference between X509_STORE (X509_STORE_new) and
STACK_OF(X509) (sk_X509_new).
What kind of additional information contains a X509_STORE ?
Thank you very much in advance.
_
Mit der Gruppen-SMS
Hello,
I'd like to know the difference between X509_STORE (X509_STORE_new) and
STACK_OF(X509) (sk_X509_new).
What kind of additional information contains a X509_STORE ?
Thank you very much in advance.
_
Unbegrenzter
On 2008.04.04 at 15:53:33 +0200, roberto calosino wrote:
Hello,
I'd like to know the difference between X509_STORE (X509_STORE_new) and
STACK_OF(X509) (sk_X509_new).
What kind of additional information contains a X509_STORE ?
Stack is generic data structure. There are stacks
On Tue, Feb 19, 2008, Anri Lau wrote:
Hello
I am sorry i am not very clear i did not find the c_rehash script.
Could i use the interface X509_STORE_load_locations() also?
Thank you!
Any function that gives a certificate directory also works for CRLs.
The c_rehash utility is in the tools
the crl directory for x509 store.
Is openssl support the this feature?
Now i can set the crl file to X509_store and it works well.
CRLs can be in the same directory as certificates. The link format is
however
different. The c_rehash script produces correct links for both
certificates
?
Another question, if I have set the CRL Check flag for X509_Store,
SSL_accept and SSL_connect will call the c_rehash to find the CRL files in
the folders and do the validation.
Am i correct?
When i create the cert and CRL using config file created by myself. And if
use the CRL interface, should
On Tue, Feb 19, 2008, Anri Lau wrote:
Hello All
I still got a error could not find the crl, error number is 3 , Is my CRL
not enough? The error depth is 1.
do you mean in the CRL folder the CRL files' name should be hash.n. The
hash is the hash of file (what hash algorithm for this) and
Hello all
Who can tell me how should i set the crl directory for x509 store.
Is openssl support the this feature?
Now i can set the crl file to X509_store and it works well.
--
Best regards to you and your family
On Tue, Feb 19, 2008, Anri Lau wrote:
Hello all
Who can tell me how should i set the crl directory for x509 store.
Is openssl support the this feature?
Now i can set the crl file to X509_store and it works well.
CRLs can be in the same directory as certificates. The link format
), but the attached
program gives rather unexpected results when run against the attached
certificates: when I use that function, it says
that InvalidEESignatureTest3EE.crt is signed by GoodCACert.crt when in
fact it is not. On the other hand, when I try to validate the certificate
against an X509_STORE
In the doc of SSL_CTX_set_cert_store I only found the hint, that the doc
of the X509_STORE object are not ready. But I will connect my own to
OpenSSL. When will be the doc of the X509_STORE object ready, so that I
can continue my library?
Thanks
Frank
smime.p7s
Description: S/MIME Cryptographic
The X509_STORE time attribute is not propagated to X509_STORE_CTX.
If you call the X509_STORE_set_time method on a X509_STORE, the
appropriate flag is set in the params flag attribute and the time
attribute is also set. However, when a X509_STORE_CTX structure is
initialized from the same
On Wed, May 03, 2006, Daniel Granath wrote:
The X509_STORE time attribute is not propagated to X509_STORE_CTX.
If you call the X509_STORE_set_time method on a X509_STORE, the
appropriate flag is set in the params flag attribute and the time
attribute is also set. However, when
Dear List,
I've tried to send this message a few times, and I don't think it's gone
through...
here's my problem. I've got an X509_STORE against which I am verifying some
digital signatures. I'm using a dynamic engine to perform said verifications.
During the verification process, some keys
The X509_STORE time attribute is not propagated to X509_STORE_CTX.
If you call the X509_STORE_set_time method on a X509_STORE, the
appropriate flag is set in the params flag attribute and the time
attribute is also set. However, when a X509_STORE_CTX structure is
initialized from the same
Hi,
We have already some leaks in our application.
I found out, that for STACK_OF(X509) there are two cleanup functions.
sk_X509_free to free only the 'stackframe', and sk_509_pop_free for
freeing the whole stack.
Is there something for X509_STORE, too? X509_STORE_free seems not to
free
Steffen Lips wrote:
Hi,
We have already some leaks in our application.
I found out, that for STACK_OF(X509) there are two cleanup functions.
sk_X509_free to free only the 'stackframe', and sk_509_pop_free for
freeing the whole stack.
Is there something for X509_STORE, too? X509_STORE_free
Hello,
I wanted to ask if there is an openssl functionality to duplicate
X509_STORE_CTX / X509_STORE (I am using openssl 0.9.7d)? I have a looked and
haven’t found functions to perform this, do I need to do this myself? I need to
duplicate these object because that I want different threads
Hello,
I have an application with a simple init code :
SSL_CTX *ctx;
X509_STORE *store;
X509_LOOKUP *lookup;
(...)
store = SSL_CTX_get_cert_store(ctx);
lookup = X509_STORE_add_lookup(store,
X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir
together
with the chain?
Can I put the certificates in store and stack independently as above?
thank you very much
wjw
- Original Message -
From:
Dr. Stephen
Henson
To: [EMAIL PROTECTED]
Sent: Saturday, June 14, 2003 4:02
AM
Subject: Re: about the X509_STORE
Hi,Steve,
Thanks for your
answer.
But if by default, I have to prepare the whole
certificate chain in the X509_STORE, what is the difference between X509_STORE
and STACK_OF(X509) in OCSP case? The certificates in STORE are still need to be
verified when verifying the certificate
the trusted certificate(s) in the X509_STORE, do I need
to insert the root CA or upper level CA of the trusted certificate into the
STORE?
Can I just input the trusted certificate into the STORE ( this trusted
certificate is not root CA )?
In the default case you need any certificate
(B
(B
(BHi,all
(B
(B I can add trusted certificate into X509_STORE by
(BX509_STORE_add_cert().
(BBut which function can I delete/cancel a certificate from the
(BX509_STORE?
(B
(BThanks
(Bwjw
- Original Message -
From: Dr. Stephen Henson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 31, 2003 7:52 PM
Subject: Re: X509_STORE and X509_verify performance
On Mon, Mar 31, 2003, Chris Jarshant wrote:
I generated 1000 test self-signed CA certs, and wrote
a small
Well in the short term some kind of evil hack will be needed by an
application. This would involve messing around with the internals of the
X509_STORE and normally you shouldn't go near those. However in this case
you
haven't got any choice.
In outline you'd create an X509_OBJECT for each
);
int add_ext(X509 *cert, int nid, char *value);
int main(int argc, char **argv)
{
int i;
BIO *bio_err;
RSA *rsa;
X509 *certs[NUM_CERTS];
EVP_PKEY *pkey=NULL;
X509_STORE *st;
bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
pkey
I generated 1000 test self-signed CA certs, and
wrote
a small program to add them all to an X509_STORE
in
preparation for verifying a certificate.. But this
operation
took a LONG, LONG time. Even adding 500 certs
took
approx. 30 seconds! It appeared to go real
fast for
the first 100 certs
PROTECTED]
Sent: Monday, March 31, 2003 7:18
PM
Subject: X509_STORE and X509_verify
performance
I generated 1000 test self-signed CA certs, and
wrote
a small program to add them all to an X509_STORE
in
preparation for verifying a certificate.. But
this operation
took
On Mon, Mar 31, 2003, Chris Jarshant wrote:
I generated 1000 test self-signed CA certs, and wrote
a small program to add them all to an X509_STORE in
preparation for verifying a certificate.. But this operation
took a LONG, LONG time. Even adding 500 certs took
approx. 30 seconds
this X509_STORE to
lookup the certificates it needed, for instance if the signing certificates
were omitted in the PKCS7 file.
However, the 'store' parameter in the call to PKCS7_verify is not used to
lookup peer certificates, only to find certificates during chain
verification. It seems that one should use
68 matches
Mail list logo