add to previous post, I 'd like to know what is the best format for storing
item in map. Item is here a struct which encapsulated certificate object (
as shown in previous message ).
I think about DER format ... is it a good idea ?
2011/3/9 ikuzar <razuk...@gmail.com>
>
>
> 2011/3/9 Dave Thompson <dthomp...@prinpay.com>
>
> > From: owner-openssl-us...@openssl.org On Behalf Of ikuzar
>> > Sent: Tuesday, 08 March, 2011 13:02
>>
>> > I am going to explain below what I HAVE TO do :
>> > a) I have to store certificates in a map which is a shared memory.
>> > ( I have to do this, I have no choice, because I have to continue
>> > what guy before me had started ). So I think it's better to store
>> > x509 structure which represents the certificate instead of string.
>> > I think it is a good idea. isn't it ?
>>
>> If the purpose of putting this data in shared memory is to share it,
>> and assuming you mean the typedef X509 aka struct x509_st, no.
>> Many openssl API structs, including that one, consist mostly of
>> pointers to data stored elsewhere in memory -- which in any other
>> process is invalid and will produce garbage or crashes.
>>
>> If you only need to share the map but not its contents, which would
>> be silly, you could have X509's in your private memory, and just
>> put pointers in the shared map, and no other process can use them,
>> but if the map is keyed it could see the keys, and know that e.g.
>> your process has *some* cert for server#3 or server.domain.name.
>>
>
> => I want to make something like :
>
> template<class StrType> struct certificate : shared {
> StrType uri;
> StrType sn;
> StrType data;
>
> certificate(X509* cert) {
> char commonName[512];
> subject_name = X509_get_subject_name(cert);
> X509_NAME_get_text_by_NID(subject_name, NID_commonName, commonName,
> 512);
>
> uri = commonName;
> sn = get_sn(cert);// I 'll deal with it later
> data = get_data(cert); // I 'll deal with it later
> }
>
> -- then, this certificate defined above is encapsulated in a cacheitem
> structure.
> -- In fact, map stores a range of cacheitem. Map will be read and written
> from different 'forked' childs :
> -- there is a class certmanager which manage these cacheitems ( add, get,
> delete items from cache, ...etc). I use URI as key for map.
> For example, I 'll search item which URI = 213...@etu-univ.com
>
>>
>>
> > b) I must be able to extract uri, serial_number from x509
>> > structure and store them into a STRING variable. Is there a way
>> > to exact URI and SN ? ( see source code above ).
>>
>> You can definitely get serial. Warning: nowadays serials usually
>> aren't sequential (i.e. not 1,2,3,...) and aren't so much numbers
>> as longish bitstrings encoded as numbers. Best to treat it as
>> opaque, and if you need a UI display it as hex bytes.
>> In particular, it's not safe to treat serial directly
>> as a C string, as the code in your earlier post seems to;
>> if you want a C string and even more so if you want
>> human-legible text, do hex or base64 or somesuch.
>>
>> What URI? policy? CRLdist? OCSP? Something else?
>> If you can identify it you should be able to get it.
>> And a (valid) URI will actually be good char-string data.
>> Although if it's encoded as BMP(2byte) or Universal(4),
>> you need appropriate 'wide' char/string support; any given
>> C can't have both, and it's not guaranteed to have either.
>>
>
>
>> => I have to store in the certificate an URI which identify an user. this
>> URI is like this : phone_number@domain. example : 0123456...@etu-univ.com(
>> this is a SIP uri ). I though I could store it in CN ... was I wrong ?
>> have any other suggestion ?
>>
>>
>> But the combination of "URI" and serial doesn't make sense;
>> they don't relate to each other at all. *Issuer* plus serial
>> is commonly (but not always) used to identify a certificate.
>> Issuer is never a URI. It is *sometimes* a domainname, which
>> can be PART of a URL which is one kind of URI, but that is
>> not the same thing as being a URI. If issuer is what you want,
>> yes you can get it, and even in a nice-for-humans (but not
>> necessarily programs) text string form, look for "oneline".
>>
>> > c) is it possible to send x509 structure (certificate)
>> > to peer ? ( apart from handshake ) I 'd like to write something
>> > like: SSL_write(ssl, X509* cert)
>>
>> No for the same reason as above; the x509_st itself has pointers
>> only valid within one process memory. This is exactly why 'wire'
>> encodings exist, and the usual one for X.509 (including SSL) is DER.
>> Openssl also prefers DER or PEM-wrapped-DER for local storage,
>> but here other methods are *possible*.
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>>
>
>
