[openssl-users] Same dir with different type in X509_LOOKUP_hash_dir
Jan Burgmeier
jan.burgmeier at unicon-software.com
Mon Oct 1 12:43:11 UTC 2018
Performance wise it would also be possible to use the type parameter as
bit field. As 1 and 2 are the only used types at the moment this won't
break anything. Then the second type is only used if the first fails.
If a patch for this is wanted I can provide one.
The other way would be to convert all certificates to one type.
What is the preferred way to do this?
We are not interested in running a patched ssl.
Regards
Jan
On Sat, 2018-09-29 at 14:13 +0200, Richard Levitte wrote:
> Well, that will kinda sorta work, I think... what you're basically
> doing there, albeit not entirely clearly, is making the type a part
> of
> the directory index, not just its name. I haven't looked thoroughly
> enough to see if there are corner cases that will screw that up.
>
> That being said, you will see an increase in processing time. The
> type setting for a directory is applied to ALL hash-named files this
> code can find, so if you have two lookups, one with each file type
> setting, what will happen is that it will attempt through all the
> files, which will of course fail for those with the wrong
> format. You
> won't notice, because the loading errors are simply ignored and there
> will be success as soon as a file could be loaded and matches your
> lookup criteium.
>
> So in essence, that does look like a workable solution, but with bad
> optimization.
>
> Cheers,
> Richard
>
> In message <
> 2e5a9e53712a0e0138eee7d07d7145194286024a.camel at unicon-software.com>
> on Fri, 28 Sep 2018 13:11:25 +0200, Jan Burgmeier <
> jan.burgmeier at unicon-software.com> said:
>
> > Hi,
> >
> > during setup of my X509_STORE I use X509_LOOKUP_hash_dir with same
> > dir
> > but different type X509_FILETYPE_PEM and X509_FILETYPE_ASN1. But
> > only
> > certificates of the first type are looked up.
> > I dig into the code and made a little change to fix my problem, see
> > attached patched. Is this behavior by design and I am doing
> > anything
> > wrong or is this a bug?
> >
> > Regards
> > Jan Burgmeier
> >
> > --- a/crypto/x509/by_dir.c
> > +++ b/crypto/x509/by_dir.c
> > @@ -217,7 +217,8 @@
> > continue;
> > for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
> > ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
> > - if (strlen(ent->dir) == (size_t)len &&
> > + if (type == ent->dir_type &&
> > + strlen(ent->dir) == (size_t)len &&
> > strncmp(ent->dir, ss, (unsigned int)len) == 0)
> > break;
> > }
> >
> >
More information about the openssl-users
mailing list