Discussion:
[openssl-dev] [openssl.org #4624] Re: Bug#829272: Missing accessors
(too old to reply)
via RT
2016-07-22 15:51:16 UTC
Permalink
Hi,

unless I didn't look careful enough I think we might still be missing
the current_cert (and current_issuer) from the X509_STORE_CTX, as
advertised in
https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
and used in e.g.
https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c
and many other places for verifying the proxy chain or is there a
better/other solution for that?

Best wishes,
Mischa
In addition to github PR 1294, there's now also PR 1339 which adds the function to set the EXFLAG_PROXY flag on a given certificate.
Also, PR 1295 has been updated. Instead of a function that returns a lock, there is now a lock and an unlock function.
To me, it seems that that covers what's being asked for. Perhaps not exactly (the setters are for X509_STORE only), but should be workable.
(writing this from my mobile, sorry for the lack of github links)
--
Richard Levitte
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email ***@nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4624
Please log in as guest with password guest if prompted
Richard Levitte via RT
2016-07-22 15:56:05 UTC
Permalink
Hi,

Good point, I'll look into that. Also, thanks for the reminder, that HOWTO needs a rewrite, badly.

Cheers
Richard
Post by via RT
Hi,
unless I didn't look careful enough I think we might still be missing
the current_cert (and current_issuer) from the X509_STORE_CTX, as
advertised in
https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
and used in e.g.
https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c
and many other places for verifying the proxy chain or is there a
better/other solution for that?
Best wishes,
Mischa
On Fri, Jul 22, 2016 at 03:26:26PM +0000, Richard Levitte via RT
In addition to github PR 1294, there's now also PR 1339 which adds
the function to set the EXFLAG_PROXY flag on a given certificate.
Also, PR 1295 has been updated. Instead of a function that returns a
lock, there is now a lock and an unlock function.
To me, it seems that that covers what's being asked for. Perhaps not
exactly (the setters are for X509_STORE only), but should be
workable.
(writing this from my mobile, sorry for the lack of github links)
--
Richard Levitte
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
--
Richard Levitte
***@openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Richard Levitte via RT
2016-07-23 09:44:18 UTC
Permalink
To get current_cert, it's X509_STORE_CTX_get_current_cert().
To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()

Those functions are already present in pre-1.1 OpenSSL (at least in the 1.0.2
series)
Post by via RT
Hi,
unless I didn't look careful enough I think we might still be missing
the current_cert (and current_issuer) from the X509_STORE_CTX, as
advertised in
https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
Post by via RT
and used in e.g.
https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c
and many other places for verifying the proxy chain or is there a
better/other solution for that?
Best wishes,
Mischa
On Fri, Jul 22, 2016 at 03:26:26PM +0000, Richard Levitte via RT
In addition to github PR 1294, there's now also PR 1339 which adds
the function to set the EXFLAG_PROXY flag on a given certificate.
Also, PR 1295 has been updated. Instead of a function that returns a
lock, there is now a lock and an unlock function.
To me, it seems that that covers what's being asked for. Perhaps not
exactly (the setters are for X509_STORE only), but should be
workable.
(writing this from my mobile, sorry for the lack of github links)
--
Richard Levitte
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
--
Richard Levitte
***@openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
via RT
2016-07-25 11:32:17 UTC
Permalink
Post by Richard Levitte via RT
To get current_cert, it's X509_STORE_CTX_get_current_cert().
To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()
Hi Richard,

yes, those I know, but the problem is the *setting* of the failing cert.
Since we need to walk the whole chain for the proxy pathlength
verification, we need to be able to indicate which cert is failing. See
e.g.
https://github.com/globus/globus-toolkit/blob/globus_6_branch/gsi/callback/source/library/globus_gsi_callback.c#L1691
and further, in particular line 1731.
VOMS is basically using the same code
https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c#L2236
and further, in particular line 2255.

Jan Just also sets the current_issuer in his grid-proxy-verify.c,
http://www.nikhef.nl/~janjust/proxy-verify/
line 346, but I'm not sure that's necessary.

Mischa
Post by Richard Levitte via RT
Those functions are already present in pre-1.1 OpenSSL (at least in the 1.0.2
series)
Post by via RT
Hi,
unless I didn't look careful enough I think we might still be missing
the current_cert (and current_issuer) from the X509_STORE_CTX, as
advertised in
https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204
Post by via RT
and used in e.g.
https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c
and many other places for verifying the proxy chain or is there a
better/other solution for that?
Best wishes,
Mischa
On Fri, Jul 22, 2016 at 03:26:26PM +0000, Richard Levitte via RT
In addition to github PR 1294, there's now also PR 1339 which adds
the function to set the EXFLAG_PROXY flag on a given certificate.
Also, PR 1295 has been updated. Instead of a function that returns a
lock, there is now a lock and an unlock function.
To me, it seems that that covers what's being asked for. Perhaps not
exactly (the setters are for X509_STORE only), but should be
workable.
(writing this from my mobile, sorry for the lack of github links)
--
Richard Levitte
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
--
Richard Levitte
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email ***@nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602
Please log in as guest with password guest if prompted
Loading...