[openssl-users] Loading of CA chain into store from mem for verification
Dan S
danchik at rebelbase.com
Tue Apr 26 20:20:30 UTC 2016
Hello,
Instead of using SSL_CTX_load_verify_locations with a file, we load the
data from dll resource (multiple certs separated by -----BEGIN
CERTIFICATE----- -----END CERTIFICATE-----):
...
if(pdata = (BYTE *)LockResource( hglobal )) { // BYTE *pdata, hglobal
is initialized with LoadResource
if(cabio=BIO_new_mem_buf(pdata, -1)) { // create io to mem buffer
PEM_read_bio_X509(cabio, &cacert, 0, NULL); // load cert to add
to store later
BIO_free_all(cabio);
}
}
...
everything seems good so far, data is correct, and cacert is initialized.
Later we add it to the store:
...
if(cacert) {
X509_STORE *store = SSL_CTX_get_cert_store(ctx); // ctx created
earlier with SSL_CTX_new with TLSv1_2_method
if(NULL != store) {
if(!(res=X509_STORE_add_cert(store, cacert))) {
// set some error info here and break out to free variables
before exit
break;
}
SSL_CTX_set_cert_store(ctx, store); // Not sure if we were working
on store in ctx or on copy of it
// if we dont set it back, when cert verified it produces
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY as if it never had the ca chain
// if we do set it back, the verification crashes with memory
access in X509_VERIFY_PARAM_inherit (x509_vpm.c)
}
...
Is it that the PEM_read_bio_X509 can only load one cert at a time (why did
it report success on load then)?
Or is it that only one cert at a time can be added to store?
Neither explains the crash (since all calls seemingly succeeded)
Any thoughts please?
Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160426/bc95731d/attachment-0001.html>
More information about the openssl-users
mailing list