[openssl-dev] (future) STORE vs X509_LOOKUP_METHOD by_dir

Richard Levitte levitte at openssl.org
Sun Feb 5 15:47:46 UTC 2017 

Hi,

I've some ponderings that I need to bounce a bit with you all.

Some have talked about replace the X509_LOOKUP_METHOD bit with the
STORE module I'm building, and while STORE isn't ready for it yet, I
have some thoughts on how the two can approach each other.  This would
involve one or two hooks / callbacks, that a STORE user could specify
(details later) to pick and choose freely among the objects that the
STORE module finds (be it on file or whatever else that can be
represented as a URI).

The troublesome part would be to try to mimic by_dir...  It highly
depends on the specified paths to really be directories, and that it
should find what it wants by adding very specific file names (a hash
of the subject name with a ".{n}" or ".r{n}" extension for X.509 certs
and for X.509 CRLs).  And sure, that works, but will really only work
with regular files.

What if someone would specify a LDAP URI that can return a bunch of
objects?

So...  my ponderings are going along these lines:

1. Should the directory X509_LOOKUPs be restricted to on disk
   directories, or should "directory" be redefined as "whatever URI
   that returns a collection of objects"?  The latter would mean that
   all those objects get loaded and that a hook / callback would then
   be called to check if it's an object that corresponds to what we
   search for.

2. For on disk directories, should we preserve the rehash file form?
   In other words, if we decide to load everything we can find, shall
   we restrict the loading to files matching the regexp
   [0-9a-f]{8}\.r?[0-9]+  ?  If not, are we about to create a new form
   of key store for ourselves and our users?  Should we?

Quite a lot also depends on what OpenSSL version we aim for.  I would
very much like to see the STORE module itself become part of 1.1.1,
but a new key store to replace our current rehash links will obviously
have to wait 'til 1.2.0.

Cheers,
Richard

-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-dev mailing list