[openssl-dev] [openssl.org #4681] X.509 load method

[Roumen Petrov via RT]

This is an enhancement request.

OpenSSL 1.1 hides details of structures used to load X.509 certificates, 
in particular - x509_lookup_method_st , x509_lookup_st and x509_object_st.
This impact non OpenSSL projects as external application has to 
duplicated those structures.

Request is OpenSSL do not change those structures until new 
implementation in a binary incompatible release.


It seems to me current look-up method is quite complex.
For instance get_by_subject performs two main steps load and query - see 
"by_dir".
In first step code using "query constraint" fetch data and adds each 
item found to store. Update of store requires thread lock.
In second step code query entire store using "query constraint" and 
prepare result. Query of store requires thread lock.

I guess that could be used more simple "callback" model - a method with 
callback context.
Method fetch data, return only item (certificate, CRL, etc.) on each 
call and so until end of data.
With this model library is responsible to update store and to prepare 
result. Lock of store could be managed internally.


Regards,
Roumen


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4681
Please log in as guest with password guest if prompted