[openssl-users] Same dir with different type in X509_LOOKUP_hash_dir

Richard Levitte levitte at openssl.org
Sat Sep 29 12:13:52 UTC 2018

Well, that will kinda sorta work, I think...  what you're basically
doing there, albeit not entirely clearly, is making the type a part of
the directory index, not just its name.  I haven't looked thoroughly
enough to see if there are corner cases that will screw that up.

That being said, you will see an increase in processing time.  The
type setting for a directory is applied to ALL hash-named files this
code can find, so if you have two lookups, one with each file type
setting, what will happen is that it will attempt through all the
files, which will of course fail for those with the wrong format.  You
won't notice, because the loading errors are simply ignored and there
will be success as soon as a file could be loaded and matches your
lookup criteium.

So in essence, that does look like a workable solution, but with bad


In message <2e5a9e53712a0e0138eee7d07d7145194286024a.camel at unicon-software.com> on Fri, 28 Sep 2018 13:11:25 +0200, Jan Burgmeier <jan.burgmeier at unicon-software.com> said:

> Hi,
> during setup of my X509_STORE I use X509_LOOKUP_hash_dir with same dir
> but different type X509_FILETYPE_PEM and X509_FILETYPE_ASN1. But only
> certificates of the first type are looked up.
> I dig into the code and made a little change to fix my problem, see
> attached patched. Is this behavior by design and I am doing anything
> wrong or is this a bug?
> Regards
> Jan Burgmeier
> --- a/crypto/x509/by_dir.c
> +++ b/crypto/x509/by_dir.c
> @@ -217,7 +217,8 @@
>                  continue;
>              for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) {
>                  ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j);
> -                if (strlen(ent->dir) == (size_t)len &&
> +                if (type == ent->dir_type &&
> +                    strlen(ent->dir) == (size_t)len &&
>                      strncmp(ent->dir, ss, (unsigned int)len) == 0)
>                      break;
>              }

More information about the openssl-users mailing list