Bear Giles wrote:
>
> > > One classic approach is to have all lookup functions return a
> > > list of unique keys. The caller then requests each object individually
> > > via a lookup that guarantees uniqueness. Uniqueness is easy to guarantee
> > > on any hashed or relational store - make it the primary key!
> >
> > An earlier attempt used a hash of the entire certificate which, if it
> > isn't unique would be the least of your worries...
>
> Issuer and subject number should also be unique, and it's a common
> search pattern. I don't think anyone searches on the hash of the
> entire certificate.
>
It should be unique but it might not be, either by accident or malicious
intent.
There are a couple of cases that use the hash of the whole certificate.
The OCSP v2 draft for example.
>
> > That's the kind of thing I looked at when I started on a revision ages
> > ago. One problem with that is how to add additional lookup methods when
> > they are needed without breaking existing code.
>
> I got a key db about 80% implemented on Monday... then got hit
> with a nasty virus making the rounds. Maybe I'll be able to finish
> by this weekend - at least I can no longer toast marshmellows on my
> forehead.
>
> But support for additional lookup methods isn't a problem. You just
> have a version number in the plug-in and the loader links in an
> "unsupported operation" function if the versions don't match. The
> caller should check the error code... but it should be doing that anyway. :-)
I'd rather not have the OpenSSL core code have to keep track of which
version supported which lookup techniques. An alternative is to have one
lookup function and a parameter specifying the lookup type. If a version
then doesn't recognise the lookup technique it can return an error
saying it doesn't understand the method. This maps well to the ASN1
CHOICE type which is represented as:
struct {
int type;
union {
TYPE1 *a;
TYPE2 *b;
TYPE3 *c;
/* etc */
} d;
}
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
