[openssl-dev] (future) STORE vs X509_LOOKUP_METHOD by_dir
Tomas Mraz
tmraz at redhat.com
Mon Feb 6 10:15:19 UTC 2017
On Sun, 2017-02-05 at 16:47 +0100, Richard Levitte wrote:
> Hi,
>
> I've some ponderings that I need to bounce a bit with you all.
>
> Some have talked about replace the X509_LOOKUP_METHOD bit with the
> STORE module I'm building, and while STORE isn't ready for it yet, I
> have some thoughts on how the two can approach each other. This
> would
> involve one or two hooks / callbacks, that a STORE user could specify
> (details later) to pick and choose freely among the objects that the
> STORE module finds (be it on file or whatever else that can be
> represented as a URI).
Just to add something to your thinking - so there is a p11-kit-trust
PKCS11 module which provides all the CA certificates that should be
trusted on the system via individual PKCS11 certificate objects. Could
it be somehow accommodated with the STORE module approach? Mozilla NSS
and GnuTLS can use this PKCS11 module directly as a trust store, we
would like to add the same functionality to OpenSSL.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
More information about the openssl-dev
mailing list