On Wed, Jun 24, 2009, Peter Sylvester wrote: > Hello, > > In 1.0.0beta it seems that the interface between > the certificate verify callback and the store context > has slightly changed. > > The X509_STORE_CTX_get_current_cert may now > return NULL which was not the case before the > introduction of policy checking. > > Is it the responsibility of the callback not to assume > a non-null pointer now, for example not to simply > call X509_oneline to format the cert subject? > > At least the verify callbacks currently in use in > apps check this (except for s_cb which is used > by s_server, but which is not yet affected). > > The example in the openssl docs uses > > X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); > > but also: > > X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert) > >
Those examples need updating. Use of X509_NAME_oneline() has been discouraged for some time. While this is true it wont happen unless you explicitly set policy checking along with some additional flags. If an application does set the extra flags it is expected to understand the implications in the callback. One case is when you set a flag to require an explicit policy but there is none in the chain. In that case the error isn't tied to one particular certificate but the chain itself. The other case is when you set a flag to notify that policy checking has succeeded. Again this means the whole chain is OK and not indicating anything right/wrong with a particular certificate. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
