[openssl-users] Automatically populating X509_STORE object cache from directory

Steven Logan steven.logan at optomany.com
Mon Nov 13 13:53:17 UTC 2017


We have an embedded device which will be loaded with a public key for validating data signatures.  We identify this key by means of its SHA-1 fingerprint; to do this we have implemented a custom X509_LOOKUP_METHOD.

The lookup, performed via X509_LOOKUP_by_fingerprint works great, that is at least when we call X509_STORE_load_locations with a file identifying the certificate file directly.  Our problem begins when I wish to create a store using the directory that contains our data signing certificates.  My hope was to identify the relevant certificate by fingerprint and return the X509* to be used in validating the certificate itself against a separate Root/Intermediate store and then the verify signature itself by retrieving the key from the certificate.

Sadly, it seems that X509_STORE_load_locations does not automatically populate the object cache with the certificates contained in the directory.  It appears this may be by design and not an issue with our code.

1.  Is there any way to have OpenSSL automatically populate the cache with the certificates in the directory?
2.  In the source code, I can see that X509_STORE_get1_certs will go off and call X509_STORE_get_by_subject and potentially load the certificates from the directory based on their subject.  Will I need to implement the equivalent of this in order to load certificates from the directory by fingerprint?
3.  Is there anything particularly wrong with this approach?  It seemed odd to me that OpenSSL itself does not implement the fingerprint lookup itself.


More information about the openssl-users mailing list