<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">Okay.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">Thanks Matt, I didn’t see that one in x509_vfy.c, I must look harder.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">I will modify our own copy of OpenSSL1.1.1c to provide the missing functions and open a PR on the master.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">Simon Edwards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">On 25/09/2019 12:31, Matt Caswell wrote:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">On 25/09/2019 12:22, Simon Edwards wrote:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">><i> void X509_STORE_CTX_set0_error(X509_STORE_CTX *ctx, int error) {<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">><i>
<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">><i> ctx->error = error;<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">><i>
<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">><i> }<o:p></o:p></i></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">This one already exists:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">{<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"> ctx->error = err;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">}<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">Other missing accessors could be added (and even backported to stable releases)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">if there is a strong enough justification for wanting them.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Courier New";mso-fareast-language:EN-GB">Matt<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="mso-fareast-language:EN-GB">From:</span></b><span lang="EN-US" style="mso-fareast-language:EN-GB"> Simon Edwards
<br>
<b>Sent:</b> 25 September 2019 12:22<br>
<b>To:</b> openssl-users@openssl.org<br>
<b>Subject:</b> Working inside X509_STORE_CTX using verification callbacks<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello Everyone.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am migrating code written to the old 1.0 (actually probably more like 0.9.?) X509_STORE API which has a replacement for the check_issuer callback function.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Unless I am missing something the 1.1.1c SDK’s public API is missing some accessor functions that are required for a like-for-like update to 1.1.1c.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> void X509_STORE_CTX_<span style="color:red">set</span>0_current_issuer(X509_STORE_CTX *ctx, X509 *cert){<o:p></o:p></p>
<p class="MsoNormal"> ctx->current_issuer = cert;<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"> void X509_STORE_CTX_<span style="color:red">set</span>0_error(X509_STORE_CTX *ctx, int error) {<o:p></o:p></p>
<p class="MsoNormal"> ctx->error = error;<o:p></o:p></p>
<p class="MsoNormal"> }<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I suspect I will need to build this as an internal OpenSSL source module in order to allow access inside the STORE structure.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Or, have I missed a replacement API somewhere?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The reason for using our own callback function is to allow for the situation where a trustpoint collection may contain multiple certificates with the same DN but different keys. The second (or later) of these may be the signer of the certificate
being verified. The OpenSSL version would stop when it encountered the first certificate with an incorrect key. If OpenSSL now supports this situation we could remove the need to set our own callback.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D;mso-fareast-language:EN-GB">Simon Edwards</span></b><span style="color:#1F497D;mso-fareast-language:EN-GB"><br>
Principal Software Engineer <o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:4.0pt;color:#1F497D;mso-fareast-language:EN-GB"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:14.0pt;color:#1F497D;mso-fareast-language:EN-GB">Micro Focus<br>
</span></b><u><span style="font-size:4.0pt;color:#1F497D;mso-fareast-language:EN-GB"><br>
</span></u><u><span style="color:#1F497D;mso-fareast-language:EN-GB"><a href="mailto:simon.edwards@microfocus.com"><span style="color:blue">simon.edwards@microfocus.com</span></a><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">The Lawn, 22-30 Old Bath Road</span><span style="font-size:12.0pt;color:#1F497D;mso-fareast-language:EN-GB"><br>
</span><span style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">Newbury, Berkshire, UK<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">Shoretel 44224</span><span style="font-size:12.0pt;color:#1F497D;mso-fareast-language:EN-GB"><br>
</span><span style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">Direct: +44 1635 565487</span><span style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>