SSL_CTX_load_verify

Discussion:

SSL_CTX_load_verify_locations

Chris Zacker

2003-10-30 20:49:53 UTC

I have a simple question. If you have a specific CACert that you (a client)
want to use for verifying the Server, and you don't have a file system what
do you need to do?
I know that SLL_CTX_load_verify_locations expect you to pass in a filename
and directory (although dir can be null). Is there some lower level calls
that can be made to just load the specific CACert into the SSL_CTX
structure?
Thanks
Chris Zacker

padma saxena

2003-10-30 21:42:51 UTC

Permalink

I modified X509_load_cert_crl_file() (in by_file.c)
to invoke BIO_new_mem_buf() rather than
BIO_new_file().
This seems to work satisfactorily. I probably have to
add a module by_mem.c similar to by_file.c
so we can pass a buffer (rather than a filename) to
SSL_CTX_load_verify_locations(). I did not get around
to doing all that yet.

I would be curious to know how others tackled this,
if there is an easier, cleaner approach to solving
this.

Thanks,
Padma

Post by Chris Zacker
I have a simple question. If you have a specific
CACert that you (a client)
want to use for verifying the Server, and you don't
have a file system what
do you need to do?
I know that SLL_CTX_load_verify_locations expect you
to pass in a filename
and directory (although dir can be null). Is there
some lower level calls
that can be made to just load the specific CACert
into the SSL_CTX
structure?
Thanks
Chris Zacker
ATTACHMENT part 2 application/ms-tnef

Chris Zacker

2003-11-04 17:23:53 UTC

Permalink

Thanks for the help. I was able to use your information and dig into the
code and get it working. It seems silly that openSSL doesn't provide the
accessors to allow people to easily work with a non-filesystem setup.
Everything is geared to having the ability to have filenames and directories
etc. Most people doing an embedded system don't have the need to implement
a file system but end up having to hack things together to make openSSL
work.
Thanks again for your assistance.
Chris

-----Original Message-----
From: owner-openssl-users-MCmKBN63+***@public.gmane.org
[mailto:owner-openssl-users-MCmKBN63+***@public.gmane.org]On Behalf Of padma saxena
Sent: Thursday, October 30, 2003 1:43 PM
To: openssl-users-MCmKBN63+***@public.gmane.org
Subject: Re: SSL_CTX_load_verify_locations

I modified X509_load_cert_crl_file() (in by_file.c)
to invoke BIO_new_mem_buf() rather than
BIO_new_file().
This seems to work satisfactorily. I probably have to
add a module by_mem.c similar to by_file.c
so we can pass a buffer (rather than a filename) to
SSL_CTX_load_verify_locations(). I did not get around
to doing all that yet.

I would be curious to know how others tackled this,
if there is an easier, cleaner approach to solving
this.

Thanks,
Padma

name=winmail.dat

__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

wrstuden-DZEk9q7Sfju/3pe1ocb+swC/

2003-11-04 16:15:21 UTC

Permalink

Post by Chris Zacker
I have a simple question. If you have a specific CACert that you (a client)
want to use for verifying the Server, and you don't have a file system what
do you need to do?

Something like:

unsigned char ca_cert_certificate[1771] = { .....};
/* Above is output by openssl x509 -C */

get_cert(void)
{
unsigned char *d;
long length;
X509 *c;

d = &ca_cert_certificate[0];
l = sizeof(ca_cert_certificate);

if ((c = X509_new()) != NULL && d2i_X509(&c, &d, length) == NULL) {
X509_free(c);
}

return (c);
}
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Peter Sylvester

2003-11-05 14:10:59 UTC

Permalink

Post by Chris Zacker
Thanks for the help. I was able to use your information and dig into the
code and get it working. It seems silly that openSSL doesn't provide the
accessors to allow people to easily work with a non-filesystem setup.

I think that the functions

SSL_CTX_use_certificate
SSL_CTX_use_PrivateKey

to set up your key for an SSL connection and a loop using

X509_d2i + X509_STORE_add_cert

to add certs as a trustbase are not too difficult.

You may also consider to put such things into a P12 file
and then, (it might be useful to have a -C option
as for X509) :

p.p12 = d2i_PKCS12 ...

PKCS12_parse (p.p12, p.pst, &(p.pkey), &(p.usercert), &(p.ca) )

and then add key and usercert with SSL_CTX_use_certificate
and SSL_CTX_use_PrivateKey and all cert in the "ca" stack
with X509_STORE_add_cert.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org