X509_get_pubkey() in OpenSSL 3.0?

Jason Schultz jetson23 at hotmail.com
Wed Nov 3 21:55:28 UTC 2021 

Unfortunately, the short answer is I can't avoid the problem. The application is complicated, and can be thought of as many applications, all of which have different needs. I don't think combining a certificate chain into one file eliminates the need for all of the calls I'm making, just some of them. I wish it were that easy, but I need to do this set up at run time.

I'll see what I can find, and try a few other things to attempt to isolate the cause. If I run out of ideas, I'll probably start a new thread since it may get more attention.

Thanks for your answers once again.

Jason


________________________________
From: openssl-users <openssl-users-bounces at openssl.org> on behalf of Viktor Dukhovni <openssl-users at dukhovni.org>
Sent: Wednesday, November 3, 2021 9:25 PM
To: openssl-users at openssl.org <openssl-users at openssl.org>
Subject: Re: X509_get_pubkey() in OpenSSL 3.0?

On Wed, Nov 03, 2021 at 08:32:43PM +0000, Jason Schultz wrote:

> To summarize, at application start time I read in all of the
> certificates in /etc/ssl/certs/ to a trusted store created with
> X509_STORE_new().
>
> When getting ready to "start" a server (again, leaving a lot of
> specifics out to avoid getting bogged down in details), I'm doing the
> processing in the previous messages on this thread. Here are the API
> calls again, with the changes previously discussed:
>
>     ctx = SSL_CTX_new_ex(non_fips_libctx, NULL, TLS_method());
>     SSL_CTX_use_PrivateKey_file(ctx,<keyfile>,SSL_FILETYPE_PEM);
>     SSL_CTX_use_certificate_file(ctx,<certfile>,SSL_FILETYPE_PEM);
>     SSL_CTX_check_private_key(ctx);
>     mycert = SSL_CTX_get0_certificate(ctx);
>     pkey = X509_get_pubkey(mycert);
>
>  After that's done, I make several OpenSSL calls to get things set up the way I want:
>
>         param = X509_VERIFY_PARAM_new();
>         X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
>         X509_STORE_set1_param(ssl_trusted_certs, param);
>         X509_VERIFY_PARAM_free(param);
>
> I call these to treat intermediate certs as trust-anchors, so I can
> trust an intermediate certificate; ssl_trusted_certs is the
> aforementioned X509_STORE.

I am puzzled as to you working so hard (writing a bunch of low-level
trust-store and chain construction code) to construct at runtime, what
could be created statically at chain file construction time.  Especially
if you stick with best practice and keep certificate lifetimes
reasonably short (~90 days or less, not years).  The certificate chain
file constructed at the time the certificate is issued should work
unchanged for the lifetime of the certificate, and the server
applications can avoid having to execute any chain construction or
verification code.

Yes, you're asking somewhat "interesting" questions, in that, e.g., I am
not up to speed on all the changes in 3.0.0, and perhaps there are
indeed some issues around legacy SHA1 signatures, but I do suspect that
a more productive use of your time is likely to reconsider the decision
to work at such a low layer.  It may be wiser to find a way to "unask"
the question, i.e. make it moot, by avoiding rather than solving the
problem.

> I'm not clear on if the calls I've added to
> SSL_CTX_get0_certificate(ctx) and X509_get_pubkey(), the latter of
> which was being used before, are what's causing the problem. The
> OpenSSL error queue shows the following on the
> SSL_CTX_build_cert_chain() failure:
>
> 00B741558E7F0000:error:0308010C:digital envelope routines:(unknown function):unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (SHA1 : 96), Properties (<null>)
> 00B741558E7F0000:error:03000072:digital envelope routines:(unknown function):decode error:crypto/x509/x_pubkey.c:444:
> 00B741558E7F0000:error:03000072:digital envelope routines:(unknown function):decode error:crypto/x509/x_pubkey.c:444:
> 00B741558E7F0000:error:0580006C:x509 certificate routines:(unknown function):unable to get certs public key:crypto/x509/x509_vfy.c:1986:
> 00B741558E7F0000:error:0A000086:SSL routines:(unknown function):certificate verify failed:ssl/ssl_cert.c:905:Verify error:unspecified certificate verification error

I haven't seen these before, your guess is as good as mine.

--
    Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211103/725dccfd/attachment.html>

More information about the openssl-users mailing list