-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI #8442
Conversation
34e7397
to
b3f9a91
Compare
a873005
to
5306d10
Compare
Before to try to use proposed X.509 lookup store API I would like to discuss some items. Except by_store.c all other modifications look trivial.
|
That an interesting interpretation. Documentation says that functions such as
You have this problem with X509 STORE either way. If you have a look in CRYPTO_THREAD_write_lock(ctx->lock);
tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
CRYPTO_THREAD_unlock(ctx->lock); The
Good point. I didn't because I was thinking that |
a8fd008
to
459c483
Compare
Existing functionality push all objects that match specified name and type to X509_STORE. There is good reason to to that. As pointer above on files system could exist more then one certificate with different validity period. This is because lookup don't know "check(verify)" time. For crl is expected files system to contain more then one ctl each with different "last update". Let on 'non-stop' system is started a daemon process that performs validation and verification of certificates, i.e. daemon is expected to run for long time. Let only one directory is set for X.509 look-up and into directory exist only one crl (all ca certs are loaded by_file).
From business point of view for crl by_subject must be called unconditionally. Between two calls to directory could be stored zero or more crl. In all cases by_subject always return success and filled return argument. //diff by_dir vs by_ldap follow |
Previous comment lack case when crl does not exist at all - no load, no
addition to X509_STORE, no result fetched from X509_STORE, no copy to
function argument and method return false.
Remark:
Using suffixes like .r0 , .r1, .r2, ... ,rN where N increase with next
CRL is equal to sort by "last update".
For certificate is similar - sort by period.
//Off topic: based on current functionality and existing public API I
guess that is visible another backward compatible approach to turn X.509
lookup related public API into usable level (#6970).
|
Currently by_dir stops processing of directories on first found and loaded object. Let see database processing in particular. Working with database is more specific. Another point if that by_dir check result of X509_STORE_add* - indirectly returned from methods X509_load_{cert|crl}_file. For certs by_subject is called only once (per distinguished name) and of first call all certs will be pushed to store due to different validity period. So this is DIFFERENCE between by_dir and by_ldap! According my understanding of X.509 lookup process by_store functionality should be similar. |
459c483
to
6c891f1
Compare
I've changed my mind on the subject of how get_by_subject must behave, based on what the X509_LOOKUP and X509_STORE APIs do, see #8707 (comment) As a consequence, I've changed by_store to use the same method as by_dir / by_file, as a proof of concept of sorts. |
6c891f1
to
8ef45f3
Compare
c82dd55
to
0b69bd5
Compare
Hi, I just look into new updates. To catch this the test case should be more complex: CA, 2 certificates, first revoked. Then in one and the same test (like long running server) : verify second(1), revoke second, update of external "store"(2), verify second(3). |
So are you trying to say that when I find a CRL, I should remove the previous one that is cached before add the one I just found? |
Richard Levitte wrote:
So are you trying to say that when I find a CRL, I should remove the previous one that is cached before add the one I just found?
There is more than one solution.
(a) clear for x509store crls and then all all found
(b) I chose something like this:
counter = 0
while (1) {
...
ok = "add"(object)
if ok then counter ++
}
..
if counter > 0 return true else return false;
(c) use new more flexible method by example xadd that return positive(1)
if added, zero if exist negative on error. If I remember well this is
how in the pas "boolean" function are changed to integer. xadd() could
be keep internal.
(d) ... ?
(a) could be analysed in context of multi-threading . I'm not expect here.
Another point is that CRL could be big X MB. To release X BM and the
then to allocate again .... Does not look good.
Roumen
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved assuming CIs agree.
Check! |
For some reason, OSSL_STORE_SEARCH_get0_name() and OSSL_STORE_find() accepted a non-const OSSL_STORE_SEARCH criterion, which isn't at all necessary. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
This is a wrapper around OSSL_STORE. This also adds necessary support functions: - X509_STORE_load_file - X509_STORE_load_path - X509_STORE_load_store - SSL_add_store_cert_subjects_to_stack - SSL_CTX_set_default_verify_store - SSL_CTX_load_verify_file - SSL_CTX_load_verify_dir - SSL_CTX_load_verify_store and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations, as they aren't extensible. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
This code is mainly copied from test_ssl_old Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from #8442)
Merged. e3c4ad2 OSSL_STORE: constify the criterion parameter a bit more |
This is a wrapper around OSSL_STORE.
This also adds necessary support functions:
and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations,
as they aren't extensible.
Checklist