I seriously need help with this piece. I searched the forum and I could
not find what i was looking for.
During an SSL handshake, I need to be able to examine the CRL
distribution points on a certificate (chain), download them, and pass
them along to OpenSSL for further revocation checks.
I thought I understood that the problem would be solved by just
overwriting "get_crl" method of X509_STORE. But it looks like there's a
lot more going to that just to read a URL and download the target.
Here's what I did and after all it didn't work. Because I got the error
"Different CRL scope" after return from my "get_crl"
**** set up X509_STORE just before SSL connection:
// do trusted certs
if (crlDownloader) {
x509Store->get_crl = &getCrl;
CRYPTO_set_ex_data(&x509Store->ex_data,
CRL_GET_EXDATA_INDEX, (void *)crlDownloader);
X509_STORE_set_flags(x509Store,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
SSL_CTX_set_cert_store(ctx, x509Store);
**** My get_crl:
int getCrl(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *cert)
{
CrlDownloader *crlDownloader = (CrlDownloader*)CRYPTO_get_ex_data(
&ctx->ctx->ex_data,
CRL_GET_EXDATA_INDEX);
try
{
// read the distribution points from the certificate (see below)
for(/* each url in distribution URLs */)
{
X509_CRL* downloadedCrl = crlDownloader->download(url);
*crl = downloadedCrl;
X509_STORE_add_crl(ctx->ctx, *crl));
break;
}
return 1;
}
catch(std::exception &e)
{
// print error
}
return 0;
}
***** util code to return a distribution URl minimally
for (i = 0; i < sk_DIST_POINT_num(cert->crldp); i++)
{
DIST_POINT *dp = sk_DIST_POINT_value(cert->crldp, i);
for (i = 0; i < sk_GENERAL_NAME_num(dp->distpoint->name.fullname); i++)
{
GENERAL_NAME *gen = sk_GENERAL_NAME_value(
dp->distpoint->name.fullname, i);
if (gen->type == GEN_URI)
{
list.push_back(std::string((char*)gen->d.ia5->data));
}
}
}
Note that if I modify my code, download the CRL at the beginning, add it
to X509_STORE and continue, then everything works as expected. But
that's not acceptable because I would have to know apriori what those
CRL distribution points would be.
So as i mentioned the above still does not work.
Looking at get_crl_delta() shows that there's a lot more logic involved
than just downloading the CRL. Unfortunately, most if not all of the
methods called inside that module are static so they're not available to
my get_crl.
I'd appreciate your feedback and guidance.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
