[openssl-users] Automatically populating X509_STORE object cache from directory

Mon Nov 13 15:03:20 UTC 2017

On 13/11/2017 14:53, Steven Logan via openssl-users wrote:
> Hi,
>
> We have an embedded device which will be loaded with a public key for validating data signatures.  We identify this key by means of its SHA-1 fingerprint; to do this we have implemented a custom X509_LOOKUP_METHOD.
>
> The lookup, performed via X509_LOOKUP_by_fingerprint works great, that is at least when we call X509_STORE_load_locations with a file identifying the certificate file directly.  Our problem begins when I wish to create a store using the directory that contains our data signing certificates.  My hope was to identify the relevant certificate by fingerprint and return the X509* to be used in validating the certificate itself against a separate Root/Intermediate store and then the verify signature itself by retrieving the key from the certificate.
>
> Sadly, it seems that X509_STORE_load_locations does not automatically populate the object cache with the certificates contained in the directory.  It appears this may be by design and not an issue with our code.
>
> 1.  Is there any way to have OpenSSL automatically populate the cache with the certificates in the directory?
> 2.  In the source code, I can see that X509_STORE_get1_certs will go off and call X509_STORE_get_by_subject and potentially load the certificates from the directory based on their subject.  Will I need to implement the equivalent of this in order to load certificates from the directory by fingerprint?
> 3.  Is there anything particularly wrong with this approach?  It seemed odd to me that OpenSSL itself does not implement the fingerprint lookup itself.
>
> Regards,
> Steve
The by-directory method is designed to avoid keeping the entire collection
of trusted certificate in memory, and to avoid slowing down program startup
with the time to load all the certificates.  Because the main use is to
find the issuer of a certificate received from another computer, the
directory contains certificate files whose name is an 8-digit checksum of
the subject referenced by other certificate, with a file extensions being
simply a counter from 0 to the number of certificates with a duplicate hash
value.

For your use of finding certificates by weak certificate hash (SHA-1 is
being phased out of this world as quickly as possible), the options are to
either write a script that symlinks from the first 10 hex digits of the
SHA-1 hash (with similar collision-counting extension) and write your own
lookup code, or to write a function to load all the certificates either by
looping over the directory or using a traditional all-certs-in-one-file
like ca-certificates.crt.

However unless you have a hard requirement to start from the SHA-1
"fingerprint", it is probably a lot easier to just change your code to
identify the certificate by a "friendly name", which would simple be the
filename without directory and .pem extension.  For example
"ValiCert_Class_1_VA" as input loading 
/etc/ssl/certs/ValiCert_Class_1_VA.pem .

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded