X509_STORE lookup question

[Chris Bare]

Thanks for the reply. the X509_OBJECT used to return data only has room for
1 certificate.
Are you saying the verification routine will call get_cert_by_subject again
if the first one returned fails?
I don't think I've seen that behavior. Even if it did, how would the lookup
routine know this is the nth call, vs a new one?

Or when you said "should" did you mean that would be a better solution, but
the current code does not do that?

On Mon, Aug 7, 2023 at 3:44 AM Tomas Mraz <tomas at openssl.org> wrote:

> On Wed, 2023-08-02 at 09:50 -0400, Chris Bare wrote:
> > I've created an X509_STORE and set my own lookup methods:
> >  lm = X509_LOOKUP_meth_new ("Load certs from database");
> >  if (lm)
> >  {
> >  X509_LOOKUP_meth_set_ctrl (lm, dir_ctrl);
> >  X509_LOOKUP_meth_set_get_by_subject (lm, get_cert_by_subject);
> >  X509_LOOKUP_meth_set_get_by_issuer_serial (lm,
> > get_by_issuer_serial);
> >  X509_LOOKUP_meth_set_get_by_fingerprint (lm, get_by_fingerprint);
> >  X509_LOOKUP_meth_set_get_by_alias (lm, get_by_alias);
> >  }
> > store = X509_STORE_new();
> > X509_STORE_add_lookup(store, lm);
> >
> > This works, but it only ever calls get_cert_by_subject. I've run into
> > cases where certificates have duplicate CommonNames, so it would be
> > better to use one of the other lookups.
> > Is there a flag I need to set in the store, or some configuration I
> > need to do somewhere else in OpenSSL to make it use a different
> > lookup method?
>
> Unfortunately in practice this is the only lookup method that is being
> used by the certificate verification. The store should be able to
> return all the matching certificates and the verification routine will
> select the proper one from them.
>
> --
> Tomáš Mráz, OpenSSL
>
>

-- 
Chris Bare
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230807/9c15b45c/attachment.htm>