Re: What does cache field in X509_STORE struct do?

[Victor B. Wagner]

On 2009.10.13 at 14:30:50 +0200, Dr. Stephen Henson wrote:

> On Mon, Oct 12, 2009, Victor B. Wagner wrote:
> 
> > 
> > 2. Make X509_LOOKUP_hash_dir lookup method honour cache field in the
> > X509_STORE structure. (I think that it is better to make this field
> > a bit mask and interpret constants X509_LU_CERT and X509_LU_CRL as
> > bit flags, but it would conflict with X509_LU_PKEY constant, which 
> > seems to be unused anyway. But for first time handle this field as
> > boolean flag is better than nothing)
> > 
> 
> Ah I just remembered something about how this works which makes disabling
> caching more complex.
> 
> The X509_LOOKUP API retrieves one matching object: that's a limitation of the
> API. It however populates the cache with all matching objects. The API
> limitation can be worked around by examining the cache after a lookup.
> 
> If you disable the cache without having something equivalent to retrieve
> multiple matching objects you can stop verificaion working properly in some
> cases, for example:
> 
> 1. CRLs with only partial scope (deltas and partitioned ones).
> 2. Certificates with different AKID but same subject names.
> 3. Historical checks on chains using certificates and/or CRLs that are not
> current.
> 
> Admittedly #3 isn't likely to be used much but in the case of #1 and #2 some
> paths will just fail to verify. We'd at least need to document that: in many
> cases such features wont be used so it wont matter.
> 

This can be solved by just one-line patch
--- x509_lu.c.orig      2009-10-13 17:23:48.000000000 +0400
+++ x509_lu.c   2009-10-13 17:24:15.000000000 +0400
@@ -290,7 +290,7 @@
 
         tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
                  
                  -       if (tmp == NULL || type == X509_LU_CRL)
                  +       if (!cache || tmp == NULL || type == X509_LU_CRL)
                                  {
                                                                  for 
(i=vs->current_method;
                                                                                
  i<sk_X509_LOOKUP_num(ctx->get_cert_methods);
                                                                                
  i++)
                                                                                
                          {

This solution has drawback that it doesn't save memory used by cache,
but it would make X509_STORE repeat search in the hashed directory each
time if cache is disabled.

And it still allow examining cache for additional matches. after search

I've now noticed that three years ago you've already commited fix
that makes search for CRLs each time. 



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org