[openssl-users] OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?

Stephan Mühlstrasser stm at pdflib.com
Tue Jun 12 09:58:27 UTC 2018


I'm migrating from OpenSSL 1.0.2 to OpenSSL 1.1.0. The application 
attaches additional data to X509 certificate data structures via the 
X509_set_ex_data()/X509_get_ex_data() functions.

A tricky detail is that the additional data must be attached when 
OpenSSL loads certificates from PEM files or from directories containing 
certificates with the hashed names. With OpenSSL 1.0.2 this was 
implemented by wrapping the X509_LOOKUP_METHODs returned by 
X509_LOOKUP_file() and X509_LOOKUP_hash_dir() into application-specific 

Within the context of the application-specific X509_LOOKUP_METHOD 
instances the original methods are called, and when certificates are 
loaded then via a callback X509_set_ex_data() is called on the newly 
loaded certificate. For example for the X509_LOOKUP_file() lookup method 
the "ctrl" function pointer from the X509_LOOKUP_METHOD structure is 

int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
                  char **ret);

For this approach it is necessary to retrieve the X509_STORE context 
pointer from a X509_LOOKUP pointer passed to the function called via the 
X509_LOOKUP.ctrl function pointer.

In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx" 
member of the X509_LOOKUP structure was directly accessible. But in 
OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can 
see there is no API function available that would retrieve the 
X509_STORE pointer from a X509_LOOKUP pointer.

Is this intentional, or was this an omission when making the X509_LOOKUP 
structure opaque in OpenSSL 1.1.0?


More information about the openssl-users mailing list