Working inside X509_STORE_CTX using verification callbacks

Michael Wojcik Michael.Wojcik at
Wed Sep 25 19:05:59 UTC 2019

> From: openssl-users [mailto:openssl-users-bounces at] On Behalf Of
> Viktor Dukhovni
> On Wed, Sep 25, 2019 at 11:22:26AM +0000, Simon Edwards wrote:
> >   void X509_STORE_CTX_set0_current_issuer(X509_STORE_CTX *ctx, X509 *cert)
> >   {
> >        ctx->current_issuer = cert;
> >   }
> Can you provide a motivating use-case for this accessor?  In
> verification callbacks this lets you peek not only at the current
> certificate, but also its issuer, but setting this has no useful
> side-effects.

Simon may correct me on this, and it may not be useful anyway; but if memory serves, it's currently being used to set the issuer on one invocation of the callback, so that on subsequent invocations for the same certificate the callback will see the desired issuer. (The callback gets invoked once for each error that the library wants to raise regarding the certificate, doesn't it? It's been a while since I worked in this area.)

So I *think* this was being used to store the application's decision about the real issuer, when there were multiple root or intermediate certificates - generally to support an RSA keypair and a DSA keypair - with the same CN, and that part of the certificate chain lacked SKID/AKID extensions so the actual issuing certificate had to be determined by key type.

The application in question is actually middleware, and still has to deal with a lot of certificates that aren't v3 or otherwise don't conform to current best practice, and its trust-store configuration mechanism permits multiple trees with colliding subject DNs, so its callback contains some fairly convoluted logic to try to build a valid chain back to a trust anchor while imposing all the necessary checks to maintain security.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list