httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)
Date Wed, 19 Feb 2014 18:37:03 GMT
On Tue, Feb 18, 2014 at 5:00 PM, Dr Stephen Henson <
shenson@opensslfoundation.com> wrote:

> On 18/02/2014 20:06, Jeff Trawick wrote:
> > On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson <
> shenson@opensslfoundation.com
> > <mailto:shenson@opensslfoundation.com>> wrote:
> >
> >     On 02/02/2014 13:45, Kaspar Brand wrote:
> >     > On 01.02.2014 14:37, Dr Stephen Henson wrote:
> >     >> I'm wondering how that could be avoided. Would a way to enumerate
> all
> >     >> certificates in an SSL_CTX structure in OpenSSL help? Something
> like
> >     >> SSL_CTX_get0_first_certificate() and
> SSL_CTX_get0_next_certificate().
> >     That would
> >     >> also set the current certificate at the same time in case
> applications
> >     wanted to
> >     >> inspect the private key or chain.
> >     >
> >     > Yes, this sounds like a useful extension - not only for the issue
> at
> >     > hand (i.e. SSL_CONF and stapling initialisation), but as a general
> >     > mechanism for retrieving all certificates of an SSL_CTX.
> >     >
> >
> >     Added now. The API is slightly different, but easy enough to use.
> >
> >     To iterate over all certificates in an SSL_CTX something like this
> will do the
> >     trick:
> >
> >     X509 *x;
> >     int rv;
> >     rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
> >     while (rv)
> >             {
> >             X509 *x = SSL_CTX_get0_certificate(ctx);
> >             rv = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT);
> >             }
> >
> >     Steve.
> >
> >
> > Is the leaf certificate always first?  (And/or maybe it is up to how the
> admin
> > configures it and it only works if the leaf is first?)
> >
> > The APIs work this way with the OpenSSL 1.0.2 branch now?
> >
> > TIA!
> >
>
> An SSL_CTX can have multiple server certificates associated with it
> and the one used depends on the ciphersuite negotiated by the client.
>

Thanks, I had forgotten about that!


>
> The certificate you get from SSL_CTX_get0_certificate is the server
> certificate
> which will always be a leaf certificate. You need different APIs to get
> the rest
> of the chain (assuming one has been configured).
>

I think this is the trick...

+    rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
+    while (rc) {
+        x = SSL_CTX_get0_certificate(ctx);
+        if (x) {
+            chain = NULL;
+            SSL_CTX_get0_chain_certs(ctx, &chain);
+            if (chain) {
+                for (i = 0; i < sk_X509_num(chain); i++) {
+                    X509 *x = sk_X509_value(chain, i);
+                    /* do something */
+                }
+            }
+        }
+        rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_NEXT);
+    }

I'm working on Certificate Transparency support for httpd; as part of
submitting server certs with any necessary intermediate certs to CT logs I
wanted to extract them straight from the SSL_CTX so that it didn't matter
how exactly they got there/were configured.

Thanks again...


> Steve.
> --
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shenson@opensslfoundation.com
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message