On Tue, Jun 04, 2013, Viktor Dukhovni wrote: > On Mon, Jun 03, 2013 at 11:32:31PM +0000, Viktor Dukhovni wrote: > > > I want to use SSL_CTX_set_cert_verify_callback() to customize how > > certificate verification is performed. I need to be able to selectively > > add/remove from the set of "untrusted" additional certificates in > > X509_STORE_CTX. Unfortunately, while: > > > > X509_STORE_CTX_set_chain() > > > > sets ctx->untrusted, the similarly named: > > > > X509_STORE_CTX_get_chain() > > > > returns ctx->chain, which is already populated and useful during > > the simpler one cert at a time verification callback, but is always > > empty at the start of the cert_verify_callback(). > > > > I could simply bypass the API and directly manipulate ctx->untrusted, > > but I am reluctant to do that. Should I go ahead and do that? > > Note, to implement DANE, I using 1.0.0 or later only. So if with > 1.x.y there is a reasonable expectation that libcrypto versions > with the same SONAME don't vary in the offset of the "untrusted" > member in X509_STORE_CTX, that would be good to know. >
Well since 1.0.x have to be binary compatible the structure offset wont change. Due to the way X509_STORE_CTX is accessed it's can't really be modified at all for 1.0.x. > > Will there perhaps be a library feature that exposes the chain > > elements to the cert_verify_callback? > > Any feedback? Is it safe to access (read-only by cloning the chain) > ctx->untrusted? > Yes it is. Due to the way ctx->untrusted is used it isn't safe to modify the contents of ctx->untrusted: it uses the supplied application chain pointer directly and modifying that could have unpredictable results. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
