On Wed, Nov 06, 2013, Rob Stradling wrote: > These 2 #defines exist for SSL_CTX->extra_certs: > SSL_CTX_add_extra_chain_cert > SSL_CTX_get_extra_chain_certs > SSL_CTX_clear_extra_chain_certs > > In 1.0.2-dev, the #defines such as SSL_CTX_add0_chain_cert allow me > to specify different chains for different certificate types, but > AFAICT there are no associated get() or clear() functions. > > I can't see a way to squeeze a standalone SSL_CTX_get_chain_certs > function into SSL_CTX_ctrl(). There's only 1 pointer argument > available, so I can't pass in an X509* (to indicate which cert I > want the chain for) and get back a STACK_OF(X509)* (the chain). > > One option would be to have another SSL_CTX_ctrl #define called > SSL_CTX_get_cert_type, which would accept an X509* and return the > index of that cert (i.e. SSL_CTX->CERT->pkeys[index]->x509), or -1 > if not found. That index could then be passed to > SSL_CTX_get_chain_certs in the larg argument. > However, since the SSL_PKEY_* #defines are private (in ssl_locl.h), > I'm unsure whether exposing these values in the public APIs would be > acceptable. > > The other option would be to write SSL_CTX_get_chain_certs() as a > proper function (instead of a SSL_CTX_ctrl #define), but I'm unsure > whether or not that would be better than the first option. > > Any preference? >
The index for certificates could change in future so I'd rather not expose it in a public API. OpenSSL has the concept of a "current certificate" which could be used here. This refers to the last certificate set. So you'd have (for example) a way to retrieve extra chain certificates for the current certificate. For that to work properly you'd also have to have a way to set the current certtificate, without the risk of disturbing the existing structure. So perhaps something like: int SSL_set_current_cert(SSL *ssl, X509 *x); Which returns 1 and sets the current certificate to one containing 'x' if a match is found and returns 0 and does nothing if no match is found. Also with an SSL_CTX version. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org