2011/3/9 Dave Thompson <dthomp...@prinpay.com>
> > From: owner-openssl-us...@openssl.org On Behalf Of ikuzar
> > Sent: Tuesday, 08 March, 2011 13:02
>
> > I am going to explain below what I HAVE TO do :
> > a) I have to store certificates in a map which is a shared memory.
> > ( I have to do this, I have no choice, because I have to continue
> > what guy before me had started ). So I think it's better to store
> > x509 structure which represents the certificate instead of string.
> > I think it is a good idea. isn't it ?
>
> If the purpose of putting this data in shared memory is to share it,
> and assuming you mean the typedef X509 aka struct x509_st, no.
> Many openssl API structs, including that one, consist mostly of
> pointers to data stored elsewhere in memory -- which in any other
> process is invalid and will produce garbage or crashes.
>
> If you only need to share the map but not its contents, which would
> be silly, you could have X509's in your private memory, and just
> put pointers in the shared map, and no other process can use them,
> but if the map is keyed it could see the keys, and know that e.g.
> your process has *some* cert for server#3 or server.domain.name.
>
=> I want to make something like :
template<class StrType> struct certificate : shared {
StrType uri;
StrType sn;
StrType data;
certificate(X509* cert) {
char commonName[512];
subject_name = X509_get_subject_name(cert);
X509_NAME_get_text_by_NID(subject_name, NID_commonName, commonName,
512);
uri = commonName;
sn = get_sn(cert);// I 'll deal with it later
data = get_data(cert); // I 'll deal with it later
}
-- then, this certificate defined above is encapsulated in a cacheitem
structure.
-- In fact, map stores a range of cacheitem. Map will be read and written
from different 'forked' childs :
-- there is a class certmanager which manage these cacheitems ( add, get,
delete items from cache, ...etc). I use URI as key for map.
For example, I 'll search item which URI = 213...@etu-univ.com
>
>
> b) I must be able to extract uri, serial_number from x509
> > structure and store them into a STRING variable. Is there a way
> > to exact URI and SN ? ( see source code above ).
>
> You can definitely get serial. Warning: nowadays serials usually
> aren't sequential (i.e. not 1,2,3,...) and aren't so much numbers
> as longish bitstrings encoded as numbers. Best to treat it as
> opaque, and if you need a UI display it as hex bytes.
> In particular, it's not safe to treat serial directly
> as a C string, as the code in your earlier post seems to;
> if you want a C string and even more so if you want
> human-legible text, do hex or base64 or somesuch.
>
> What URI? policy? CRLdist? OCSP? Something else?
> If you can identify it you should be able to get it.
> And a (valid) URI will actually be good char-string data.
> Although if it's encoded as BMP(2byte) or Universal(4),
> you need appropriate 'wide' char/string support; any given
> C can't have both, and it's not guaranteed to have either.
>
> => I have to store in the certificate an URI which identify an user. this
> URI is like this : phone_number@domain. example : 0123456...@etu-univ.com(
> this is a SIP uri ). I though I could store it in CN ... was I wrong ?
> have any other suggestion ?
>
> But the combination of "URI" and serial doesn't make sense;
> they don't relate to each other at all. *Issuer* plus serial
> is commonly (but not always) used to identify a certificate.
> Issuer is never a URI. It is *sometimes* a domainname, which
> can be PART of a URL which is one kind of URI, but that is
> not the same thing as being a URI. If issuer is what you want,
> yes you can get it, and even in a nice-for-humans (but not
> necessarily programs) text string form, look for "oneline".
>
> > c) is it possible to send x509 structure (certificate)
> > to peer ? ( apart from handshake ) I 'd like to write something
> > like: SSL_write(ssl, X509* cert)
>
> No for the same reason as above; the x509_st itself has pointers
> only valid within one process memory. This is exactly why 'wire'
> encodings exist, and the usual one for X.509 (including SSL) is DER.
> Openssl also prefers DER or PEM-wrapped-DER for local storage,
> but here other methods are *possible*.
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
