[openssl][uwp] SSL_CTX_load_verify_locations not working for UWP port
Matt Caswell
matt at openssl.org
Fri Jun 5 08:21:36 UTC 2020
On 05/06/2020 02:04, Feng LI wrote:
> SSL_CTX_load_verify_locations
> <https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html> is
> required for UWP port to load ca file since OpenSSL will not use the CA
> of the OS.
>
> But in UWP build, stdio is disabled
> <https://github.com/openssl/openssl/blob/082c041b4233b17b80129d4ac6b33a28014442b0/Configurations/50-win-onecore.conf#L113> by
> default. However, SSL_CTX_load_verify_locations relies on the default
> X509_STORE file lookup functionality uses stdio (via BIO_s_file). That
> basically means no verification of peers and hosts is possible with
> OpenSSL on UWP port.
>
> Is there a way to fix this or if there's a workaround for UWP ?
If you can't use the file or dir lookup capabilities then you will have
to lookup certs/crls in some other way. There are two possible options
that spring to mind:
1) Implement a custom OSSL_STORE_LOADER (this is probably only viable
for OpenSSL 3.0)
You can implement a custom OSSL_STORE_LOADER via OSSL_STORE_LOADER_new
https://www.openssl.org/docs/manmaster/man3/OSSL_STORE_LOADER_new.html
You will then need to implement the various functions to find and load
the required CA certificates. Perhaps Richard Levitte might comment on
how to do that.
Once you have a custom OSSL_STORE_LOADER you will need to register it
via OSSL_STORE_register_loader() (also documented on the same man page
above).
Finally, you can set your SSL_CTX to use the store via
SSL_CTX_load_verify_store():
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_store.html
2) Implement a custom X509_LOOKUP_METHOD
The file and dir lookup methods that SSL_CTX_load_verify_locations uses
are just the built-in ones. It's entirely possible to create your own.
Creating a custom X509_LOOKUP_METHOD involves creating the method via a
call to X509_LOOKUP_meth_new(). You will then need to additionally set
functions to get certs/crls via the different mechanisms, e.g.
X509_LOOKUP_meth_set_get_by_subject(),
X509_LOOKUP_meth_set_get_by_issuer_serial(),
X509_LOOKUP_meth_set_get_by_fingerprint(),
X509_LOOKUP_meth_set_get_by_alias().
Probably you can get away with just implementing the "get_by_subject"
function as a minimal set. The X509_LOOKUP_METHOD functions are
documented here:
https://www.openssl.org/docs/manmaster/man3/X509_LOOKUP_meth_new.html
Once you have a custom X509_LOOKUP_METHOD then you can add it to your
X509_STORE via X509_STORE_add_lookup():
https://www.openssl.org/docs/manmaster/man3/X509_STORE_add_lookup.html
To get the X509_STORE associated with your SSL_CTX you can use
SSL_CTX_get_cert_store():
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_cert_store.html
Hope, that helps.
Matt
More information about the openssl-users
mailing list