[openssl-users] Loading of CA chain into store from mem for verification

Dan S danchik at rebelbase.com
Tue Apr 26 20:20:30 UTC 2016


Instead of using SSL_CTX_load_verify_locations with a file, we load the
data from dll resource (multiple certs separated by -----BEGIN
    if(pdata = (BYTE *)LockResource( hglobal )) { // BYTE *pdata, hglobal
is initialized with LoadResource
        if(cabio=BIO_new_mem_buf(pdata, -1)) { // create io to mem buffer
            PEM_read_bio_X509(cabio, &cacert, 0, NULL); // load cert to add
to store later
everything seems good so far, data is correct, and cacert is initialized.

Later we add it to the store:
    if(cacert) {
        X509_STORE *store = SSL_CTX_get_cert_store(ctx);  // ctx created
earlier with SSL_CTX_new with TLSv1_2_method
        if(NULL != store) {
            if(!(res=X509_STORE_add_cert(store, cacert))) {
                // set some error info here and break out to free variables
before exit
        SSL_CTX_set_cert_store(ctx, store); // Not sure if we were working
on store in ctx or on copy of it
        // if we dont set it back, when cert verified it produces
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY as if it never had the ca chain
        // if we do set it back, the verification crashes with memory
access in X509_VERIFY_PARAM_inherit (x509_vpm.c)

Is it that the PEM_read_bio_X509 can only load one cert at a time (why did
it report success on load then)?
Or is it that only one cert at a time can be added to store?
Neither explains the crash (since all calls seemingly succeeded)

Any thoughts please?
Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160426/bc95731d/attachment-0001.html>

More information about the openssl-users mailing list