X509_STORE lookup problem

I've implemented my own X509_STORE lookup functions. The problem I'm having is that the store contains cert A which is being returned when I lookup cert B because they both have the same Common Name. Is there a way to tell the store to look up via thumbprint rather than Common Name? I have

Re: [openssl-users] OpenSSL 1.1 X509_STORE sharing

> On Sep 18, 2018, at 1:04 PM, Viktor Dukhovni > wrote: > > That depends on whether setting the cert_store element was done properly (in > a way > that incremented the reference count) or not. See the documentation of: > > SSL_CTX_set1_cert_store(3) > SSL_CTX_set_cert_store(3)

Re: [openssl-users] OpenSSL 1.1 X509_STORE sharing

> On Sep 18, 2018, at 12:30 PM, Maxwell Dreytser wrote: > >> X509_STORE_free() decrements a reference count, and frees the object only >> when the count reaches zero. >> > Was this behavior the same in older versions? Yes. > If so, then there is no reason to clear cert_store even in older

Re: [openssl-users] OpenSSL 1.1 X509_STORE sharing

> On Sep 18, 2018, at 12:12 PM, ad...@mdtech.us wrote: > > I have some legacy code that I am updating for 1.1 and there they set > SSL_CTX::cert_store to NULL before `SSL_CTX_free`. Is this neccessary for the > X509_STORE to be shared between contexts? > Note t

[openssl-users] OpenSSL 1.1 X509_STORE sharing

Hello, I have some legacy code that I am updating for 1.1 and there they set SSL_CTX::cert_store to NULL before `SSL_CTX_free`. Is this neccessary for the X509_STORE to be shared between contexts? Note that this still has to be buildable on 1.0 with the same result. In the docs it says

Re: [openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

> On Aug 17, 2018, at 10:52 PM, Daurnimator wrote: > > I understand the current design; but I'm left wondering why it has an > additional store member when VERIFY_PARAMS has the field there > already. > The design would seem to be much cleaner if all criteria for > verification are taken from

Re: [openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

On 18 August 2018 at 03:18, Viktor Dukhovni wrote: > On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote: > >> > When looking into https://github.com/wahern/luaossl/issues/140 I was >> > surprised to learn that an SSL_CTX* (and SSL*) does not use many of >

Re: [openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

On Fri, Aug 17, 2018 at 11:25:01PM +1000, Daurnimator wrote: > > When looking into https://github.com/wahern/luaossl/issues/140 I was > > surprised to learn that an SSL_CTX* (and SSL*) does not use many of > > the X509_STORE members. There are no plans to change the de

Re: [openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

On 12 July 2018 at 18:49, Daurnimator wrote: > When looking into https://github.com/wahern/luaossl/issues/140 I was > surprised to learn that an SSL_CTX* (and SSL*) does not use many of > the X509_STORE members. > > e.g. a store has a X509_VERIFY_PARAMS field, however although an

[openssl-users] SSL_CTX ignores many X509_STORE fields and uses own fields

When looking into https://github.com/wahern/luaossl/issues/140 I was surprised to learn that an SSL_CTX* (and SSL*) does not use many of the X509_STORE members. e.g. a store has a X509_VERIFY_PARAMS field, however although an SSL_CTX* has a related store, it ignores the store's params and uses

Re: [openssl-users] OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?

On 12/06/18 10:58, Stephan Mühlstrasser wrote: > In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx" > member of the X509_LOOKUP structure was directly accessible. But in > OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can > see th

[openssl-users] OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?

KUP_METHOD structure is overridden: int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); For this approach it is necessary to retrieve the X509_STORE context pointer from a X509_LOOKUP pointer passed to the function called via the X509_LOOKUP.ctr

Re: [openssl-users] Automatically populating X509_STORE object cache from directory

On 13/11/2017 14:53, Steven Logan via openssl-users wrote: Hi, We have an embedded device which will be loaded with a public key for validating data signatures. We identify this key by means of its SHA-1 fingerprint; to do this we have implemented a custom X509_LOOKUP_METHOD. The lookup,

[openssl-users] Automatically populating X509_STORE object cache from directory

Hi, We have an embedded device which will be loaded with a public key for validating data signatures. We identify this key by means of its SHA-1 fingerprint; to do this we have implemented a custom X509_LOOKUP_METHOD. The lookup, performed via X509_LOOKUP_by_fingerprint works great, that is

[openssl-users] Is it safe to share single X509_STORE between multiple threads for verifying certificate?

in a single |X509_STORE|. Basically, when certificate is received from a client, I create new |X509_STORE_CTX|, initialize it with a single (say, global) |X509_STORE|, and feed a worker thread with a checking routine which calls |X509_verify_cert|. The question is, does this kind of thread-sharing

Re: [openssl-users] X509_STORE manipulations and thread-safety

Objects are copied and ref-counted when an SSL is created from an SSL_CTX... To me this seems is only half-true. In SSL_new() we see that only the own certificate/key gets duplicated with ssl_cert_dup(ctx-cert), as for the trusted stuff in X509_STORE only the pointer is copied. Inside

Re: [openssl-users] X509_STORE manipulations and thread-safety

Is it safe to have a thread reload trusted certificates and crls into a SSL_CTX's X509_STORE while connections are running in other threads, especially when considering renegotiations? As a general rule, multi-thread simultaneous access doesn't work and will often make things go ka-boom

[openssl-users] X509_STORE manipulations and thread-safety

Hello All, Is it safe to have a thread reload trusted certificates and crls into a SSL_CTXs X509_STORE while connections are running in other threads, especially when considering renegotiations? The idea would be to replace the instance of X509_STORE with a new one or is there a better way

[openssl-users] X509_STORE crash in CMS_verify

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ok, i have a crash in CMS_verify that suggests i'm not setting up the store of CAs properly, or i may have made an error setting up the CA. what should i be looking at with this error? (gdb) bt #0 0x77909b6c in X509_STORE_get_by_subject ()

Re: How to remove certificate from X509_STORE?

an associated aux field of OpenSSL-added data including (optionally?) some trust settings. There are too many twisty passages for me to track down exactly what values can be in here, and what if any does what you want. 2. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see any

Is there a function to remove cert from X509_Store.

Hi, X509_STORE_add_cert() adds certificate to the trusted store. Is there a function to remove this added certificate from this store? Can anybody respond pls. Thank-you, Sri

RE: How to remove certificate from X509_STORE?

. The data in an X509_STORE is just a STACK_OF(X509_OBJECT). I don't see any official API, but you could just grab x-objs and sk_*_delete from it. You probably need to do downref/free to avoid a leak, and to do locking if your program(s) will or might use this while multithreading. 3. If you want

Fwd: How to remove certificate from X509_STORE?

Hi, X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted

How to remove certificate from X509_STORE?

Hi, X509_STORE_add_cert() would add a certificate to the list of trusted certificates in the ctx. What is the way to remove a certificate from this trusted store? Am not finding any function to remove the certificate. Can anyone of you suggest a way to remove the certificate from this trusted

Re: Copy of an x509_store variable

. Stephen Henson st...@openssl.org On Thu, Nov 04, 2010, fatma sarhan wrote: Hi, I want to copy an x509_store variable in another one which have the same type (x509_store). is there a method like (memcpy in c++) which can copy from x509_store to x509_store? Or, how we can define

Copy of an x509_store variable

Hi, I want to copy an x509_store variable in another one which have the same type (x509_store). is there a method like (memcpy in c++) which can copy from x509_store to x509_store? Or, how we can define the size of the struct x509_store to use the function memcpy(x509_stor * x, x509_store * y

Re: Copy of an x509_store variable

I want to copy an x509_store variable in another one which have the same type (x509_store). is there a method like (memcpy in c++) which can copy from x509_store to x509_store? Or, how we can define the size of the struct x509_store to use the function memcpy(x509_stor * x, x509_store * y

Re: Copy of an x509_store variable

On Thu, Nov 04, 2010, fatma sarhan wrote: Hi, I want to copy an x509_store variable in another one which have the same type (x509_store). is there a method like (memcpy in c++) which can copy from x509_store to x509_store? Or, how we can define the size of the struct x509_store to use

Copy of an x509_store variable

Hi, I want to copy an x509_store variable in another one which have the same type (x509_store). is there a method like (memcopy in c++) which copy from x509_store to x509_store? Thanks. -- Amicalement Fatma

X509_STORE function to clear error

Hi, What is the function to use to clear any error in X509_STORE_CTX Thanks, Arun

X509_STORE reuse

Can I reuse an X509_STORE for multiple ssl connections, cert verifications etc, or should I create a fresh one for each operation? If I reuse it will it continue to grow as it pulls in more certificates? -- Chris Bare ch...@bareflix.com

RE: what it is X509_STORE ?

prompt = no\n; print TMP \n; print TMP [ req_distinguished_name ]\n; print TMP CN = ARAN CA\n; print TMP \n; close TMP; } best regards Date: Tue, 24 Feb 2009 08:34:54 +0100 Subject: Re: what it is X509_STORE ? From: toondel...@gmail.com To: openssl-users@openssl.org

Re: what it is X509_STORE ?

distinguished_name = req_distinguished_name\n;     print TMP prompt = no\n;     print TMP \n;     print TMP [ req_distinguished_name ]\n;     print TMP CN = ARAN CA\n;     print TMP \n;     close TMP; } best regards Date: Tue, 24 Feb 2009 08:34:54 +0100 Subject: Re: what it is X509_STORE

Re: what it is X509_STORE ?

\n;     print TMP prompt = no\n;     print TMP \n;     print TMP [ req_distinguished_name ]\n;     print TMP CN = ARAN CA\n;     print TMP \n;     close TMP; } best regards Date: Tue, 24 Feb 2009 08:34:54 +0100 Subject: Re: what it is X509_STORE ? From: toondel...@gmail.com

what it is X509_STORE ?

hello i try create a X509 certificate for a CA and certificates signed by the CA , and i want to check it (verify it) , somebody tell me what it is X509_STORE ? thanks. _ Découvrez Windows Live Spaces et créez votre site Web perso

Re: what it is X509_STORE ?

It is a certificate memory store where you should put your certificates (CA, root etc..) of your trusted path that are needed by your application for signature verifycation. Thjis is also the place you will put your CRL. Have a look at X509_STORE _xxx and X509_load_xxx. functions. You might also

Re: getting certificate from X509_STORE

_issuer_name to cause segmentation fault as well. Other comments: - Use SSL_CTX_get_cert_store(ctx) to get the X509_STORE from SSL_CTX instead. - X509_name_oneline is discouraged, according to the documentation. This is a minor thing though... --- Kah 2008/6/13 BRACHET

[openssl-users] getting certificate from X509_STORE

Hi, I am using gSOAP which use openssl. I establish a connexion to a server using TLS, and I wanted to get the Name of the Server certificate. I can access to a X509_STORE trough ctx-cert_store. But I don't find how to get the Server certificate. I found the X509_STORE_CTX_get_current_cert(store

X509_STORE STACK OF(X509)

Hello, I'd like to know the difference between X509_STORE (X509_STORE_new) and STACK_OF(X509) (sk_X509_new). What kind of additional information contains a X509_STORE ? Thank you very much in advance. _ Mit der Gruppen-SMS

X509_STORE STACK OF(X509)

Hello, I'd like to know the difference between X509_STORE (X509_STORE_new) and STACK_OF(X509) (sk_X509_new). What kind of additional information contains a X509_STORE ? Thank you very much in advance. _ Unbegrenzter

Re: X509_STORE STACK OF(X509)

On 2008.04.04 at 15:53:33 +0200, roberto calosino wrote: Hello, I'd like to know the difference between X509_STORE (X509_STORE_new) and STACK_OF(X509) (sk_X509_new). What kind of additional information contains a X509_STORE ? Stack is generic data structure. There are stacks

Re: How Set the CRL path for ssl connection or x509_store

On Tue, Feb 19, 2008, Anri Lau wrote: Hello I am sorry i am not very clear i did not find the c_rehash script. Could i use the interface X509_STORE_load_locations() also? Thank you! Any function that gives a certificate directory also works for CRLs. The c_rehash utility is in the tools

Re: How Set the CRL path for ssl connection or x509_store

the crl directory for x509 store. Is openssl support the this feature? Now i can set the crl file to X509_store and it works well. CRLs can be in the same directory as certificates. The link format is however different. The c_rehash script produces correct links for both certificates

Re: How Set the CRL path for ssl connection or x509_store

? Another question, if I have set the CRL Check flag for X509_Store, SSL_accept and SSL_connect will call the c_rehash to find the CRL files in the folders and do the validation. Am i correct? When i create the cert and CRL using config file created by myself. And if use the CRL interface, should

Re: How Set the CRL path for ssl connection or x509_store

On Tue, Feb 19, 2008, Anri Lau wrote: Hello All I still got a error could not find the crl, error number is 3 , Is my CRL not enough? The error depth is 1. do you mean in the CRL folder the CRL files' name should be hash.n. The hash is the hash of file (what hash algorithm for this) and

How Set the CRL path for ssl connection or x509_store

Hello all Who can tell me how should i set the crl directory for x509 store. Is openssl support the this feature? Now i can set the crl file to X509_store and it works well. -- Best regards to you and your family

Re: How Set the CRL path for ssl connection or x509_store

On Tue, Feb 19, 2008, Anri Lau wrote: Hello all Who can tell me how should i set the crl directory for x509 store. Is openssl support the this feature? Now i can set the crl file to X509_store and it works well. CRLs can be in the same directory as certificates. The link format

Validating certificates without creating an X509_STORE

), but the attached program gives rather unexpected results when run against the attached certificates: when I use that function, it says that InvalidEESignatureTest3EE.crt is signed by GoodCACert.crt when in fact it is not. On the other hand, when I try to validate the certificate against an X509_STORE

Description of the X509_STORE object

In the doc of SSL_CTX_set_cert_store I only found the hint, that the doc of the X509_STORE object are not ready. But I will connect my own to OpenSSL. When will be the doc of the X509_STORE object ready, so that I can continue my library? Thanks Frank smime.p7s Description: S/MIME Cryptographic

X509_STORE time not propagated to X509_STORE_CTX in PKCS7_verify

The X509_STORE time attribute is not propagated to X509_STORE_CTX. If you call the X509_STORE_set_time method on a X509_STORE, the appropriate flag is set in the params flag attribute and the time attribute is also set. However, when a X509_STORE_CTX structure is initialized from the same

Re: X509_STORE time not propagated to X509_STORE_CTX in PKCS7_verify

On Wed, May 03, 2006, Daniel Granath wrote: The X509_STORE time attribute is not propagated to X509_STORE_CTX. If you call the X509_STORE_set_time method on a X509_STORE, the appropriate flag is set in the params flag attribute and the time attribute is also set. However, when

Dumping cached keys in an X509_STORE

Dear List, I've tried to send this message a few times, and I don't think it's gone through... here's my problem. I've got an X509_STORE against which I am verifying some digital signatures. I'm using a dynamic engine to perform said verifications. During the verification process, some keys

X509_STORE time attribute is not propagated to X509_STORE_CTX

The X509_STORE time attribute is not propagated to X509_STORE_CTX. If you call the X509_STORE_set_time method on a X509_STORE, the appropriate flag is set in the params flag attribute and the time attribute is also set. However, when a X509_STORE_CTX structure is initialized from the same

X509_STORE

Hi, We have already some leaks in our application. I found out, that for STACK_OF(X509) there are two cleanup functions. sk_X509_free to free only the 'stackframe', and sk_509_pop_free for freeing the whole stack. Is there something for X509_STORE, too? X509_STORE_free seems not to free

Re: X509_STORE

Steffen Lips wrote: Hi, We have already some leaks in our application. I found out, that for STACK_OF(X509) there are two cleanup functions. sk_X509_free to free only the 'stackframe', and sk_509_pop_free for freeing the whole stack. Is there something for X509_STORE, too? X509_STORE_free

Duplicate X509_STORE_CTX / X509_STORE

Hello, I wanted to ask if there is an openssl functionality to duplicate X509_STORE_CTX / X509_STORE (I am using openssl 0.9.7d)? I have a looked and haven’t found functions to perform this, do I need to do this myself? I need to duplicate these object because that I want different threads

update CRL does not update X509_STORE ?...

Hello, I have an application with a simple init code : SSL_CTX *ctx; X509_STORE *store; X509_LOOKUP *lookup; (...) store = SSL_CTX_get_cert_store(ctx); lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); X509_LOOKUP_add_dir

Re: about the X509_STORE of OCSP

together with the chain? Can I put the certificates in store and stack independently as above? thank you very much wjw - Original Message - From: Dr. Stephen Henson To: [EMAIL PROTECTED] Sent: Saturday, June 14, 2003 4:02 AM Subject: Re: about the X509_STORE

Re: about the X509_STORE of OCSP

Hi,Steve, Thanks for your answer. But if by default, I have to prepare the whole certificate chain in the X509_STORE, what is the difference between X509_STORE and STACK_OF(X509) in OCSP case? The certificates in STORE are still need to be verified when verifying the certificate

Re: about the X509_STORE of OCSP

the trusted certificate(s) in the X509_STORE, do I need to insert the root CA or upper level CA of the trusted certificate into the STORE? Can I just input the trusted certificate into the STORE ( this trusted certificate is not root CA )? In the default case you need any certificate

how to delete/cancel certificate from X509_STORE?

(B (B (BHi,all (B (B I can add trusted certificate into X509_STORE by (BX509_STORE_add_cert(). (BBut which function can I delete/cancel a certificate from the (BX509_STORE? (B (BThanks (Bwjw

Re: X509_STORE and X509_verify performance

- Original Message - From: Dr. Stephen Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 31, 2003 7:52 PM Subject: Re: X509_STORE and X509_verify performance On Mon, Mar 31, 2003, Chris Jarshant wrote: I generated 1000 test self-signed CA certs, and wrote a small

Re: X509_STORE and X509_verify performance

Well in the short term some kind of evil hack will be needed by an application. This would involve messing around with the internals of the X509_STORE and normally you shouldn't go near those. However in this case you haven't got any choice. In outline you'd create an X509_OBJECT for each

Re: X509_STORE and X509_verify performance

); int add_ext(X509 *cert, int nid, char *value); int main(int argc, char **argv) { int i; BIO *bio_err; RSA *rsa; X509 *certs[NUM_CERTS]; EVP_PKEY *pkey=NULL; X509_STORE *st; bio_err=BIO_new_fp(stderr, BIO_NOCLOSE); pkey

X509_STORE and X509_verify performance

I generated 1000 test self-signed CA certs, and wrote a small program to add them all to an X509_STORE in preparation for verifying a certificate.. But this operation took a LONG, LONG time. Even adding 500 certs took approx. 30 seconds! It appeared to go real fast for the first 100 certs

Re: X509_STORE and X509_verify performance

PROTECTED] Sent: Monday, March 31, 2003 7:18 PM Subject: X509_STORE and X509_verify performance I generated 1000 test self-signed CA certs, and wrote a small program to add them all to an X509_STORE in preparation for verifying a certificate.. But this operation took

Re: X509_STORE and X509_verify performance

On Mon, Mar 31, 2003, Chris Jarshant wrote: I generated 1000 test self-signed CA certs, and wrote a small program to add them all to an X509_STORE in preparation for verifying a certificate.. But this operation took a LONG, LONG time. Even adding 500 certs took approx. 30 seconds

PKCS7_verify to use X509_STORE in addition to STACK_OF(X509)

this X509_STORE to lookup the certificates it needed, for instance if the signing certificates were omitted in the PKCS7 file. However, the 'store' parameter in the call to PKCS7_verify is not used to lookup peer certificates, only to find certificates during chain verification. It seems that one should use