[openssl-users] OpenSSL 1.1.0: How to get X509_STORE from X509_LOOKUP?
stm at pdflib.com
Tue Jun 12 09:58:27 UTC 2018
I'm migrating from OpenSSL 1.0.2 to OpenSSL 1.1.0. The application
attaches additional data to X509 certificate data structures via the
A tricky detail is that the additional data must be attached when
OpenSSL loads certificates from PEM files or from directories containing
certificates with the hashed names. With OpenSSL 1.0.2 this was
implemented by wrapping the X509_LOOKUP_METHODs returned by
X509_LOOKUP_file() and X509_LOOKUP_hash_dir() into application-specific
Within the context of the application-specific X509_LOOKUP_METHOD
instances the original methods are called, and when certificates are
loaded then via a callback X509_set_ex_data() is called on the newly
loaded certificate. For example for the X509_LOOKUP_file() lookup method
the "ctrl" function pointer from the X509_LOOKUP_METHOD structure is
int (*ctrl) (X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
For this approach it is necessary to retrieve the X509_STORE context
pointer from a X509_LOOKUP pointer passed to the function called via the
X509_LOOKUP.ctrl function pointer.
In OpenSSL 1.0.2 this was no problem as the "X509_STORE *store_ctx"
member of the X509_LOOKUP structure was directly accessible. But in
OpenSSL 1.1.0 the X509_LOOKUP structure is opaque, and as far as I can
see there is no API function available that would retrieve the
X509_STORE pointer from a X509_LOOKUP pointer.
Is this intentional, or was this an omission when making the X509_LOOKUP
structure opaque in OpenSSL 1.1.0?
More information about the openssl-users