> From: owner-openssl-us...@openssl.org On Behalf Of ikuzar
> Sent: Tuesday, 08 March, 2011 13:02
> I am going to explain below what I HAVE TO do :
> a) I have to store certificates in a map which is a shared memory.
> ( I have to do this, I have no choice, because I have to continue
> what guy before me had started ). So I think it's better to store
> x509 structure which represents the certificate instead of string.
> I think it is a good idea. isn't it ?
If the purpose of putting this data in shared memory is to share it,
and assuming you mean the typedef X509 aka struct x509_st, no.
Many openssl API structs, including that one, consist mostly of
pointers to data stored elsewhere in memory -- which in any other
process is invalid and will produce garbage or crashes.
If you only need to share the map but not its contents, which would
be silly, you could have X509's in your private memory, and just
put pointers in the shared map, and no other process can use them,
but if the map is keyed it could see the keys, and know that e.g.
your process has *some* cert for server#3 or server.domain.name.
> b) I must be able to extract uri, serial_number from x509
> structure and store them into a STRING variable. Is there a way
> to exact URI and SN ? ( see source code above ).
You can definitely get serial. Warning: nowadays serials usually
aren't sequential (i.e. not 1,2,3,...) and aren't so much numbers
as longish bitstrings encoded as numbers. Best to treat it as
opaque, and if you need a UI display it as hex bytes.
In particular, it's not safe to treat serial directly
as a C string, as the code in your earlier post seems to;
if you want a C string and even more so if you want
human-legible text, do hex or base64 or somesuch.
What URI? policy? CRLdist? OCSP? Something else?
If you can identify it you should be able to get it.
And a (valid) URI will actually be good char-string data.
Although if it's encoded as BMP(2byte) or Universal(4),
you need appropriate 'wide' char/string support; any given
C can't have both, and it's not guaranteed to have either.
But the combination of "URI" and serial doesn't make sense;
they don't relate to each other at all. *Issuer* plus serial
is commonly (but not always) used to identify a certificate.
Issuer is never a URI. It is *sometimes* a domainname, which
can be PART of a URL which is one kind of URI, but that is
not the same thing as being a URI. If issuer is what you want,
yes you can get it, and even in a nice-for-humans (but not
necessarily programs) text string form, look for "oneline".
> c) is it possible to send x509 structure (certificate)
> to peer ? ( apart from handshake ) I 'd like to write something
> like: SSL_write(ssl, X509* cert)
No for the same reason as above; the x509_st itself has pointers
only valid within one process memory. This is exactly why 'wire'
encodings exist, and the usual one for X.509 (including SSL) is DER.
Openssl also prefers DER or PEM-wrapped-DER for local storage,
but here other methods are *possible*.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
