Bug#829272: Missing accessors
On Mon, Jul 25, 2016 at 01:44:18PM +, Salz, Rich via RT wrote: > I am not sure what to suggest. This conversation is bouncing across > two ticket systems and is all about a legacy certificate format that > is, what, outdated since 2002? > I am hard-pressed to see why OpenSSL 1.1 has to do anything other than > what Richard proposed. The two ticket systems is indeed annoying and I don't know what to do about that (I did not start this thread) other than removing one of them. The point is that if OpenSSL is providing a verification callback which can be used to provide a custom verification of the cert chain, then it should provide the necessary handles and the thing still missing from what Richard proposed is a way to point to the failing certificate in the chain. We can set the error, but not at which depth in the chain the error occurred. This in itself is not limited to our use-case but is a general API request. Mischa > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > Please log in as guest with password guest if prompted > -- Nikhef Room H155 Science Park 105Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msa...@nikhef.nl __ .. ... _._. ._ ... ._ ._.. ._.. .._.. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon Jul 25 15:11:10 2016, levitte wrote: > On Mon Jul 25 14:28:04 2016, levitte wrote: > > BUT... I'm realising that when you do recognise a GT3 proxy (I think > > I've seen > > check_issued functions being used for that), there's no way for > > external code > > to set the proxy path length for the certificate in question. While > > that's fine > > for GT2 proxies (there's no pc path length there that I can see), it > > does need > > to be properly set for GT3 proxies. > > For this, https://github.com/openssl/openssl/pull/1348 ... and it got through our review process pretty quickly. All github PRs that have been mentioned so far have now been merged into master. I'm closing this ticket on our side (this will hopefully happen on the Debian side as well) as it seems to be covered by the code that has now been added. As for everything else that has been discussed here, which also touches on external methods of verification via the verification callback, I would say it's out of scope for this ticket. I am interested in these talks, but then by direct email. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon Jul 25 14:28:04 2016, levitte wrote: > BUT... I'm realising that when you do recognise a GT3 proxy (I think > I've seen > check_issued functions being used for that), there's no way for > external code > to set the proxy path length for the certificate in question. While > that's fine > for GT2 proxies (there's no pc path length there that I can see), it > does need > to be properly set for GT3 proxies. For this, https://github.com/openssl/openssl/pull/1348 Cheers, Richard -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon Jul 25 12:39:43 2016, msa...@nikhef.nl wrote: > Hi Richard, > > On Mon, Jul 25, 2016 at 11:46:50AM +, Richard Levitte via RT > wrote: > > Is that code to cope with pathlen checking bugs? That's what it looks > > to me. In > > that case, it might no longer be needed with OpenSSL 1.1, along with > > some other > > stuff (the subject checking stuff comes to mind). Quite frankly, I > > think the > > grid source needs a good and hard look over, quite a bit of it > > shouldn't be > > needed any more. The exception is recognising pre-3820 proxy certs. > Yes it is, and although it's true that it's probably not needed for > RFC3820 proxy certs (although I haven't checked that) but we will need > to be able to verify GT3 proxies and we will need to be able to do the > whole chain verification there with the callback... Why do you need to do that? That sounds like your duplicating what's already being done for reasons I cannot fathom. BUT... I'm realising that when you do recognise a GT3 proxy (I think I've seen check_issued functions being used for that), there's no way for external code to set the proxy path length for the certificate in question. While that's fine for GT2 proxies (there's no pc path length there that I can see), it does need to be properly set for GT3 proxies. For the rest, though, I don't quite see why you'd need to check that path length *again* in the verification callback. The verification callback is meant to be used for the certification currently being checked, and should return 0 or 1, depending on if you want the current certificate to verify to to fail. That's it. The remaining thing to check, as far as I understand, is proxy policy. The X509_STORE_CTX ex_data is the place to accumulate data in to make sure policy continues to be valid thoughout the verification process. What, in all this, am I missing? > > Mischa > > > > Jan Just also sets the current_issuer in his grid-proxy-verify.c, > > > http://www.nikhef.nl/~janjust/proxy-verify/ > > > line 346, but I'm not sure that's necessary. > > > > > Mischa > > > > > > > > > > > Those functions are already present in pre-1.1 OpenSSL (at least > > > > in > > > > the 1.0.2 > > > > series) > > > > > > > > On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote: > > > > > Hi, > > > > > > > > > > unless I didn't look careful enough I think we might still be > > > > > missing > > > > > the current_cert (and current_issuer) from the X509_STORE_CTX, > > > > > as > > > > > advertised in > > > > > > > > > > > https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 > > > > > and used in e.g. > > > > > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c > > > > > and many other places for verifying the proxy chain or is there > > > > > a > > > > > better/other solution for that? > > > > > > > > > > Best wishes, > > > > > Mischa > > > > > > > > > > On Fri, Jul 22, 2016 at 03:26:26PM +, Richard Levitte via > > > > > RT > > > > > wrote: > > > > > > In addition to github PR 1294, there's now also PR 1339 which > > > > > > adds > > > > > > the function to set the EXFLAG_PROXY flag on a given > > > > > > certificate. > > > > > > > > > > > > Also, PR 1295 has been updated. Instead of a function that > > > > > > returns a > > > > > > lock, there is now a lock and an unlock function. > > > > > > > > > > > > To me, it seems that that covers what's being asked for. > > > > > > Perhaps > > > > > > not > > > > > > exactly (the setters are for X509_STORE only), but should be > > > > > > workable. > > > > > > > > > > > > (writing this from my mobile, sorry for the lack of github > > > > > > links) > > > > > > > > > > > > -- > > > > > > Richard Levitte > > > > > > levi...@openssl.org > > > > > > -- > > > > > > Ticket here: > > > > > > http://rt.openssl.org/Ticket/Display.html?id=4602 > > > > > > Please log in as guest with password guest if prompted > > > > > > > > > > > > -- > > > > > > To unsubscribe, send mail to 829272- > > > > > > unsubscr...@bugs.debian.org. > > > > > > > > > > > > -- > > > > Richard Levitte > > > > levi...@openssl.org > > > > > > > > -- > > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > > > Please log in as guest with password guest if prompted > > > > > > > > > > -- > > Richard Levitte > > levi...@openssl.org > > > > -- > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > Please log in as guest with password guest if prompted > > -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
I am not sure what to suggest. This conversation is bouncing across two ticket systems and is all about a legacy certificate format that is, what, outdated since 2002? I am hard-pressed to see why OpenSSL 1.1 has to do anything other than what Richard proposed. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon, Jul 25, 2016 at 12:47:56PM +, Salz, Rich via RT wrote: > > > That's exactly what we currently do, we provide a verification callback, but > > we do need to be able to set the failing cert in a chain for that. > > Stick it in EXDAT? I don't think I understand what you mean... For a proper callback, we need to be able to indicate which cert in the chain has failed. This used to be done by setting the 'current_cert' field in the CTX. I'm perfectly happy if we need to do this differently e.g. by using something like a X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx,int depth); similar to the existing X509_STORE_CTX_get_error_depth() That actually would make the most sense in any case I would think, although I would mean that for properly handling proxy chains it would have negative values according to the man-page... Mischa -- Nikhef Room H155 Science Park 105Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msa...@nikhef.nl __ .. ... _._. ._ ... ._ ._.. ._.. .._.. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
> That's exactly what we currently do, we provide a verification callback, but > we do need to be able to set the failing cert in a chain for that. Stick it in EXDAT? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon, Jul 25, 2016 at 12:42:21PM +, Salz, Rich via RT wrote: > Perhaps the GRID folks can just write their own validation routine completely? That's exactly what we currently do, we provide a verification callback, but we do need to be able to set the failing cert in a chain for that. Mischa > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > Please log in as guest with password guest if prompted > -- Nikhef Room H155 Science Park 105Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msa...@nikhef.nl __ .. ... _._. ._ ... ._ ._.. ._.. .._.. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
Perhaps the GRID folks can just write their own validation routine completely? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
Hi Richard, On Mon, Jul 25, 2016 at 11:46:50AM +, Richard Levitte via RT wrote: > Is that code to cope with pathlen checking bugs? That's what it looks to me. > In > that case, it might no longer be needed with OpenSSL 1.1, along with some > other > stuff (the subject checking stuff comes to mind). Quite frankly, I think the > grid source needs a good and hard look over, quite a bit of it shouldn't be > needed any more. The exception is recognising pre-3820 proxy certs. Yes it is, and although it's true that it's probably not needed for RFC3820 proxy certs (although I haven't checked that) but we will need to be able to verify GT3 proxies and we will need to be able to do the whole chain verification there with the callback... Mischa > > Jan Just also sets the current_issuer in his grid-proxy-verify.c, > > http://www.nikhef.nl/~janjust/proxy-verify/ > > line 346, but I'm not sure that's necessary. > > > Mischa > > > > > > > > Those functions are already present in pre-1.1 OpenSSL (at least in > > > the 1.0.2 > > > series) > > > > > > On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote: > > > > Hi, > > > > > > > > unless I didn't look careful enough I think we might still be > > > > missing > > > > the current_cert (and current_issuer) from the X509_STORE_CTX, as > > > > advertised in > > > > > > > > https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 > > > > and used in e.g. > > > > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c > > > > and many other places for verifying the proxy chain or is there a > > > > better/other solution for that? > > > > > > > > Best wishes, > > > > Mischa > > > > > > > > On Fri, Jul 22, 2016 at 03:26:26PM +, Richard Levitte via RT > > > > wrote: > > > > > In addition to github PR 1294, there's now also PR 1339 which > > > > > adds > > > > > the function to set the EXFLAG_PROXY flag on a given certificate. > > > > > > > > > > Also, PR 1295 has been updated. Instead of a function that > > > > > returns a > > > > > lock, there is now a lock and an unlock function. > > > > > > > > > > To me, it seems that that covers what's being asked for. Perhaps > > > > > not > > > > > exactly (the setters are for X509_STORE only), but should be > > > > > workable. > > > > > > > > > > (writing this from my mobile, sorry for the lack of github links) > > > > > > > > > > -- > > > > > Richard Levitte > > > > > levi...@openssl.org > > > > > -- > > > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > > > > Please log in as guest with password guest if prompted > > > > > > > > > > -- > > > > > To unsubscribe, send mail to 829272-unsubscr...@bugs.debian.org. > > > > > > > > > -- > > > Richard Levitte > > > levi...@openssl.org > > > > > > -- > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > > Please log in as guest with password guest if prompted > > > > > > -- > Richard Levitte > levi...@openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > Please log in as guest with password guest if prompted > -- Nikhef Room H155 Science Park 105Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msa...@nikhef.nl __ .. ... _._. ._ ... ._ ._.. ._.. .._.. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
On Mon Jul 25 11:32:17 2016, msa...@nikhef.nl wrote: > On Sat, Jul 23, 2016 at 09:44:18AM +, Richard Levitte via RT > wrote: > > To get current_cert, it's X509_STORE_CTX_get_current_cert(). > > To get current_issuer, it's X509_STORE_CTX_get0_current_issuer() > > Hi Richard, > > yes, those I know, but the problem is the *setting* of the failing > cert. > Since we need to walk the whole chain for the proxy pathlength > verification, we need to be able to indicate which cert is failing. > See > e.g. > https://github.com/globus/globus- > toolkit/blob/globus_6_branch/gsi/callback/source/library/globus_gsi_callback.c#L1691 > and further, in particular line 1731. > VOMS is basically using the same code > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c#L2236 > and further, in particular line 2255. Is that code to cope with pathlen checking bugs? That's what it looks to me. In that case, it might no longer be needed with OpenSSL 1.1, along with some other stuff (the subject checking stuff comes to mind). Quite frankly, I think the grid source needs a good and hard look over, quite a bit of it shouldn't be needed any more. The exception is recognising pre-3820 proxy certs. > Jan Just also sets the current_issuer in his grid-proxy-verify.c, > http://www.nikhef.nl/~janjust/proxy-verify/ > line 346, but I'm not sure that's necessary. > Mischa > > > > > Those functions are already present in pre-1.1 OpenSSL (at least in > > the 1.0.2 > > series) > > > > On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote: > > > Hi, > > > > > > unless I didn't look careful enough I think we might still be > > > missing > > > the current_cert (and current_issuer) from the X509_STORE_CTX, as > > > advertised in > > > > > https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 > > > and used in e.g. > > > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c > > > and many other places for verifying the proxy chain or is there a > > > better/other solution for that? > > > > > > Best wishes, > > > Mischa > > > > > > On Fri, Jul 22, 2016 at 03:26:26PM +, Richard Levitte via RT > > > wrote: > > > > In addition to github PR 1294, there's now also PR 1339 which > > > > adds > > > > the function to set the EXFLAG_PROXY flag on a given certificate. > > > > > > > > Also, PR 1295 has been updated. Instead of a function that > > > > returns a > > > > lock, there is now a lock and an unlock function. > > > > > > > > To me, it seems that that covers what's being asked for. Perhaps > > > > not > > > > exactly (the setters are for X509_STORE only), but should be > > > > workable. > > > > > > > > (writing this from my mobile, sorry for the lack of github links) > > > > > > > > -- > > > > Richard Levitte > > > > levi...@openssl.org > > > > -- > > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > > > Please log in as guest with password guest if prompted > > > > > > > > -- > > > > To unsubscribe, send mail to 829272-unsubscr...@bugs.debian.org. > > > > > > -- > > Richard Levitte > > levi...@openssl.org > > > > -- > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > Please log in as guest with password guest if prompted > > -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Sat, Jul 23, 2016 at 09:44:18AM +, Richard Levitte via RT wrote: > To get current_cert, it's X509_STORE_CTX_get_current_cert(). > To get current_issuer, it's X509_STORE_CTX_get0_current_issuer() Hi Richard, yes, those I know, but the problem is the *setting* of the failing cert. Since we need to walk the whole chain for the proxy pathlength verification, we need to be able to indicate which cert is failing. See e.g. https://github.com/globus/globus-toolkit/blob/globus_6_branch/gsi/callback/source/library/globus_gsi_callback.c#L1691 and further, in particular line 1731. VOMS is basically using the same code https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c#L2236 and further, in particular line 2255. Jan Just also sets the current_issuer in his grid-proxy-verify.c, http://www.nikhef.nl/~janjust/proxy-verify/ line 346, but I'm not sure that's necessary. Mischa > > Those functions are already present in pre-1.1 OpenSSL (at least in the 1.0.2 > series) > > On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote: > > Hi, > > > > unless I didn't look careful enough I think we might still be missing > > the current_cert (and current_issuer) from the X509_STORE_CTX, as > > advertised in > > > https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 > > and used in e.g. > > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c > > and many other places for verifying the proxy chain or is there a > > better/other solution for that? > > > > Best wishes, > > Mischa > > > > On Fri, Jul 22, 2016 at 03:26:26PM +, Richard Levitte via RT > > wrote: > > > In addition to github PR 1294, there's now also PR 1339 which adds > > > the function to set the EXFLAG_PROXY flag on a given certificate. > > > > > > Also, PR 1295 has been updated. Instead of a function that returns a > > > lock, there is now a lock and an unlock function. > > > > > > To me, it seems that that covers what's being asked for. Perhaps not > > > exactly (the setters are for X509_STORE only), but should be > > > workable. > > > > > > (writing this from my mobile, sorry for the lack of github links) > > > > > > -- > > > Richard Levitte > > > levi...@openssl.org > > > -- > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > > Please log in as guest with password guest if prompted > > > > > > -- > > > To unsubscribe, send mail to 829272-unsubscr...@bugs.debian.org. > > > -- > Richard Levitte > levi...@openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > Please log in as guest with password guest if prompted > -- Nikhef Room H155 Science Park 105Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msa...@nikhef.nl __ .. ... _._. ._ ... ._ ._.. ._.. .._.. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
To get current_cert, it's X509_STORE_CTX_get_current_cert(). To get current_issuer, it's X509_STORE_CTX_get0_current_issuer() Those functions are already present in pre-1.1 OpenSSL (at least in the 1.0.2 series) On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote: > Hi, > > unless I didn't look careful enough I think we might still be missing > the current_cert (and current_issuer) from the X509_STORE_CTX, as > advertised in > https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 > and used in e.g. > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c > and many other places for verifying the proxy chain or is there a > better/other solution for that? > > Best wishes, > Mischa > > On Fri, Jul 22, 2016 at 03:26:26PM +, Richard Levitte via RT > wrote: > > In addition to github PR 1294, there's now also PR 1339 which adds > > the function to set the EXFLAG_PROXY flag on a given certificate. > > > > Also, PR 1295 has been updated. Instead of a function that returns a > > lock, there is now a lock and an unlock function. > > > > To me, it seems that that covers what's being asked for. Perhaps not > > exactly (the setters are for X509_STORE only), but should be > > workable. > > > > (writing this from my mobile, sorry for the lack of github links) > > > > -- > > Richard Levitte > > levi...@openssl.org > > -- > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > Please log in as guest with password guest if prompted > > > > -- > > To unsubscribe, send mail to 829272-unsubscr...@bugs.debian.org. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
Hi, Good point, I'll look into that. Also, thanks for the reminder, that HOWTO needs a rewrite, badly. Cheers Richard On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote: > Hi, > > unless I didn't look careful enough I think we might still be missing > the current_cert (and current_issuer) from the X509_STORE_CTX, as > advertised in > https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 > and used in e.g. > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c > and many other places for verifying the proxy chain or is there a > better/other solution for that? > > Best wishes, > Mischa > > On Fri, Jul 22, 2016 at 03:26:26PM +, Richard Levitte via RT > wrote: > > In addition to github PR 1294, there's now also PR 1339 which adds > > the function to set the EXFLAG_PROXY flag on a given certificate. > > > > Also, PR 1295 has been updated. Instead of a function that returns a > > lock, there is now a lock and an unlock function. > > > > To me, it seems that that covers what's being asked for. Perhaps not > > exactly (the setters are for X509_STORE only), but should be > > workable. > > > > (writing this from my mobile, sorry for the lack of github links) > > > > -- > > Richard Levitte > > levi...@openssl.org > > -- > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > Please log in as guest with password guest if prompted > > > > -- > > To unsubscribe, send mail to 829272-unsubscr...@bugs.debian.org. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
Hi, unless I didn't look careful enough I think we might still be missing the current_cert (and current_issuer) from the X509_STORE_CTX, as advertised in https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 and used in e.g. https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c and many other places for verifying the proxy chain or is there a better/other solution for that? Best wishes, Mischa On Fri, Jul 22, 2016 at 03:26:26PM +, Richard Levitte via RT wrote: > In addition to github PR 1294, there's now also PR 1339 which adds the > function to set the EXFLAG_PROXY flag on a given certificate. > > Also, PR 1295 has been updated. Instead of a function that returns a lock, > there is now a lock and an unlock function. > > To me, it seems that that covers what's being asked for. Perhaps not exactly > (the setters are for X509_STORE only), but should be workable. > > (writing this from my mobile, sorry for the lack of github links) > > -- > Richard Levitte > levi...@openssl.org > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > Please log in as guest with password guest if prompted > > -- > To unsubscribe, send mail to 829272-unsubscr...@bugs.debian.org. -- Nikhef Room H155 Science Park 105Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msa...@nikhef.nl __ .. ... _._. ._ ... ._ ._.. ._.. .._.. smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
In addition to github PR 1294, there's now also PR 1339 which adds the function to set the EXFLAG_PROXY flag on a given certificate. Also, PR 1295 has been updated. Instead of a function that returns a lock, there is now a lock and an unlock function. To me, it seems that that covers what's being asked for. Perhaps not exactly (the setters are for X509_STORE only), but should be workable. (writing this from my mobile, sorry for the lack of github links) -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Fri, Jul 22, 2016 at 09:38:13AM +0200, Mattias Ellert wrote: > tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT: > > On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote: > > > > > > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > > > > > > > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > > > > > > > > > > > > I guess having a more restrictive accessor that only sets the > > > > > EXFLAG_PROXY bit could work. I suggested the more general > > > > > solution > > > > > of > > > > > having set/clear accessors for arbitrary flags since it was - > > > > > well > > > > > more > > > > > general. > > > > > > > > So let me ask this in a different manner, does OpenSSL 1.1 still > > > > not > > > > set the > > > > EXFLAG_PROXY flag correctly? In what situations does that happen? > > > > That may be > > > > worth a bug report of its own. > > > > > > > > -- > > > > Richard Levitte > > > > levi...@openssl.org > > > > > > > > > > The answer to this is related to Mischa's reply, which > > > unfortunately > > > was only sent to the Debian BTS and not the the OpenSSL RT. I quote > > > it > > > below. As indicated in the answer, setting the EXFLAG_PROXY allows > > > handling non-RFC proxies in OpenSSL. > > > > > > mån 2016-07-11 klockan 14:53 +0200 skrev Mischa Salle: > > > > > > > > Hi Richard, Mattias, others, > > > > > > > > I agree with you that it would be nice if OpenSSL could figure > > > > out > > > > itself whether a cert needs to be treated as a proxy, but > > > > currently > > > > that > > > > doesn't work reliably as far as I know. > > > > The flag is certainly needed in the case of non-RFC3820 proxies, > > > > also > > > > known as legacy proxies. Unfortunately these are still very > > > > widely > > > > used > > > > (majority of the proxies actually) and hence our code must be > > > > able to > > > > handle them correctly. > > > > > > > > Best wishes, > > > > Mischa Sallé > > > > > > > > Ok... From looking at the voms code that was linked to earlier, I can > > see that > > legacy proxy certs are recognised by an older OID (called > > PROXYCERTINFO_V3 in > > the code), 1.3.6.1.4.1.3536.1.222. Is there a spec for the extensions > > in that > > version, whether they are critical or not and so on, that I can > > reach? Or is > > the OID the only actual difference? If it's easy enough (and it > > currently does > > look quite easy), I can certainly see adding some code in OpenSSL to > > recognise > > those... > > > > -- > > Richard Levitte > > levi...@openssl.org > > As far as I know there are three different kinds of proxies, usually > called "legacy", "draft" and "rfc", or sometimes version 2, 3 and 4 > respectively. > > For example see "grid-proxy-init -help": > > -draftCreates a draft (GSI-3) proxy > -old Creates a legacy globus proxy > -rfc Creates a RFC 3820 compliant proxy > > The really tricky one is the old legacy version 2 proxy I think. Hi, there are 3 types of proxies, in chronological order: - so called legacy proxies, which voms-proxy-init will call old and are also known as GT2 proxies. They have no special (critical) extension and can be recognized by: 1) being signed by an end-entity cert (i.e. a non-CA) 2) have the same subjectDN as the issuer with one extra CN RDN added, which can be either a) "CN=proxy" for a 'inherit all' proxy b) "CN=limited proxy" for a limited proxy (as in OID 1.3.6.1.4.1.3536.1.1.1.9) These are widely used and we have therefore code in many places to handle them. - the draft RFC proxies, also known as GT3 proxies. They contain an extension 1.3.6.1.4.1.3536.1.222 At least voms-proxy-init does not mark it as critical. They are rarely used. The ordering in the extension is different in the sense that they usually put the proxyPolicy before the proxyPathlength (when finite, i.e. present) inside the extension, but RFC-style extensions also occur. In openssl.cnf style a GT3 extension would be something like this: [ gt3_proxy ] keyUsage = critical,digitalSignature,keyEncipherment 1.3.6.1.4.1.3536.1.222=critical,ASN1:SEQUENCE:gt3_seq_sect # For a proxy pathlength of 42, leave out field2 for inf. [ gt3_seq_sect ] field1 = SEQUENCE:normal_policy field2 = EXPLICIT:1C,INTEGER:42 # similarly for limited policy [ normal_policy ] p1 = OID:1.3.6.1.5.5.7.21.1 - RFC3820 compliant proxies, also known as GT4 proxies. They contain the standard critical extension 1.3.6.1.5.5.7.1.14 The default for at least voms-proxy-init (both from the voms-clients2 and voms-clients3) is to make the GT2 proxies, and this is why they are still very-widely used (I think vast majority of proxies). Mischa -- Nikhef Room H155 Science Park 105Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-
Bug#829272: Missing accessors
On Fri Jul 22 07:38:25 2016, mattias.ell...@physics.uu.se wrote: > tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT: > > On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote: > > > > > > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > > > > > > > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > > > > > > > > > > > > I guess having a more restrictive accessor that only sets the > > > > > EXFLAG_PROXY bit could work. I suggested the more general > > > > > solution > > > > > of > > > > > having set/clear accessors for arbitrary flags since it was - > > > > > well > > > > > more > > > > > general. > > > > > > > > So let me ask this in a different manner, does OpenSSL 1.1 still > > > > not > > > > set the > > > > EXFLAG_PROXY flag correctly? In what situations does that happen? > > > > That may be > > > > worth a bug report of its own. > > > > > > > > -- > > > > Richard Levitte > > > > levi...@openssl.org > > > > > > > > > > The answer to this is related to Mischa's reply, which > > > unfortunately > > > was only sent to the Debian BTS and not the the OpenSSL RT. I quote > > > it > > > below. As indicated in the answer, setting the EXFLAG_PROXY allows > > > handling non-RFC proxies in OpenSSL. > > > > > > mån 2016-07-11 klockan 14:53 +0200 skrev Mischa Salle: > > > > > > > > Hi Richard, Mattias, others, > > > > > > > > I agree with you that it would be nice if OpenSSL could figure > > > > out > > > > itself whether a cert needs to be treated as a proxy, but > > > > currently > > > > that > > > > doesn't work reliably as far as I know. > > > > The flag is certainly needed in the case of non-RFC3820 proxies, > > > > also > > > > known as legacy proxies. Unfortunately these are still very > > > > widely > > > > used > > > > (majority of the proxies actually) and hence our code must be > > > > able to > > > > handle them correctly. > > > > > > > > Best wishes, > > > > Mischa Sallé > > > > > > > > Ok... From looking at the voms code that was linked to earlier, I can > > see that > > legacy proxy certs are recognised by an older OID (called > > PROXYCERTINFO_V3 in > > the code), 1.3.6.1.4.1.3536.1.222. Is there a spec for the extensions > > in that > > version, whether they are critical or not and so on, that I can > > reach? Or is > > the OID the only actual difference? If it's easy enough (and it > > currently does > > look quite easy), I can certainly see adding some code in OpenSSL to > > recognise > > those... > > > > -- > > Richard Levitte > > levi...@openssl.org > > As far as I know there are three different kinds of proxies, usually > called "legacy", "draft" and "rfc", or sometimes version 2, 3 and 4 > respectively. > > For example see "grid-proxy-init -help": > > -draft Creates a draft (GSI-3) proxy > -old Creates a legacy globus proxy > -rfc Creates a RFC 3820 compliant proxy > > The really tricky one is the old legacy version 2 proxy I think. Ok, so after doing quite a bit of searching, I found some references to GT2 (old) in a 3.0 document: http://toolkit.globus.org/toolkit/docs/3.0/gsi/GSI-message-specification-02.doc (section 5) As I understand it, the GT2 format is a simple EE cert, with just two differences: 1. the issuer is also a EE (so it has the basic constraint CA set to false)... or it's another GT2 proxy, which amounts to the same thing. 2. the subject name is the issuer name plus an appended 'CN=Proxy' or 'CN=LimitedProxy' Good so far? My main problem here is GT3 (draft) proxy certs. If I look at https://tools.ietf.org/html/draft-ietf-pkix-proxy-10, they look exactly the same as RFC3820 proxy certs, down to the extension OID. If I look at a really old draft (http://sigillum.pl/upload/pdf/Internet%20X.509%20Public%20Key%20Infrastructure.%20Proxy%20Certificate%20Profile.pdf), the difference is *wild*, and if look at a random shell script (https://www.nikhef.nl/~janjust/proxy-verify/genproxy) I found while searching for OID 1.3.6.1.4.1.3536.1.222, I find a third variant that has a slightly different proycertinfo extension... Btw, this should really become a new ticket, along the lines of "OpenSSL doesn't recognise earlier proxy certs". -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
tor 2016-07-21 klockan 09:51 + skrev Richard Levitte via RT: > On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote: > > > > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > > > > > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > > > > > > > > > I guess having a more restrictive accessor that only sets the > > > > EXFLAG_PROXY bit could work. I suggested the more general > > > > solution > > > > of > > > > having set/clear accessors for arbitrary flags since it was - > > > > well > > > > more > > > > general. > > > > > > So let me ask this in a different manner, does OpenSSL 1.1 still > > > not > > > set the > > > EXFLAG_PROXY flag correctly? In what situations does that happen? > > > That may be > > > worth a bug report of its own. > > > > > > -- > > > Richard Levitte > > > levi...@openssl.org > > > > > > > The answer to this is related to Mischa's reply, which > > unfortunately > > was only sent to the Debian BTS and not the the OpenSSL RT. I quote > > it > > below. As indicated in the answer, setting the EXFLAG_PROXY allows > > handling non-RFC proxies in OpenSSL. > > > > mån 2016-07-11 klockan 14:53 +0200 skrev Mischa Salle: > > > > > > Hi Richard, Mattias, others, > > > > > > I agree with you that it would be nice if OpenSSL could figure > > > out > > > itself whether a cert needs to be treated as a proxy, but > > > currently > > > that > > > doesn't work reliably as far as I know. > > > The flag is certainly needed in the case of non-RFC3820 proxies, > > > also > > > known as legacy proxies. Unfortunately these are still very > > > widely > > > used > > > (majority of the proxies actually) and hence our code must be > > > able to > > > handle them correctly. > > > > > > Best wishes, > > > Mischa Sallé > > > > > Ok... From looking at the voms code that was linked to earlier, I can > see that > legacy proxy certs are recognised by an older OID (called > PROXYCERTINFO_V3 in > the code), 1.3.6.1.4.1.3536.1.222. Is there a spec for the extensions > in that > version, whether they are critical or not and so on, that I can > reach? Or is > the OID the only actual difference? If it's easy enough (and it > currently does > look quite easy), I can certainly see adding some code in OpenSSL to > recognise > those... > > -- > Richard Levitte > levi...@openssl.org As far as I know there are three different kinds of proxies, usually called "legacy", "draft" and "rfc", or sometimes version 2, 3 and 4 respectively. For example see "grid-proxy-init -help": -draftCreates a draft (GSI-3) proxy -old Creates a legacy globus proxy -rfc Creates a RFC 3820 compliant proxy The really tricky one is the old legacy version 2 proxy I think. Mattias -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
(Dropping the Debian bug from Cc) On Wed, 2016-07-20 at 15:11 +, Richard Levitte via RT wrote: > On Mon Jul 11 14:04:22 2016, dw...@infradead.org wrote: > > I was using store.get_issuer() in OpenConnect too, because I need to > > manually build the trust chain to include it on the wire — because > > even today the server might *still* suffer RT#1942 and fail to trust > > our client cert unless we help it by providing the *right* chain. > > Is this still true with OpenSSL 1.1? If so, please file a report. No, I fixed it years ago in OpenSSL. But it took many years for Cisco to actually start *using* a fixed version of OpenSSL. So we still try really hard, on the client side, to put the *right* intermediate CAs on the wire if we can find them. Because that way it doesn't matter so much if the server can't. > > I've worked around the lack of access to get_issuer() by doing a dummy > > call to X509_verify_cert(), throwing away its result and then hoping > > that we have something useful in store.chain (which we *can* still > > access). That seems to work but I'm not stunningly happy with it; if > > we > > can have an accessor I'd much rather go back to doing it the old way. > > > > http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0 > > (in workaround_openssl_certchain_bug() in the hunk around line 1306) > > https://github.com/openssl/openssl/pull/1294 currently provides a setter for > get_issuer in X509_STORE. OK, thanks. Once it lands, I may go back to using that. -- dwmw2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
On Mon, Jul 11, 2016 at 02:53:05PM +0200, Mischa Salle wrote: > Hi Richard, Mattias, others, > > I agree with you that it would be nice if OpenSSL could figure out > itself whether a cert needs to be treated as a proxy, but currently that > doesn't work reliably as far as I know. > The flag is certainly needed in the case of non-RFC3820 proxies, also > known as legacy proxies. Unfortunately these are still very widely used > (majority of the proxies actually) and hence our code must be able to > handle them correctly. Is there a way to recoginize those non-RFC3820 proxies? Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Thu Jul 21 08:18:30 2016, mattias.ell...@physics.uu.se wrote: > ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > > > I guess having a more restrictive accessor that only sets the > > > EXFLAG_PROXY bit could work. I suggested the more general solution > > > of > > > having set/clear accessors for arbitrary flags since it was - well > > > more > > > general. > > > > So let me ask this in a different manner, does OpenSSL 1.1 still not > > set the > > EXFLAG_PROXY flag correctly? In what situations does that happen? > > That may be > > worth a bug report of its own. > > > > -- > > Richard Levitte > > levi...@openssl.org > > > > The answer to this is related to Mischa's reply, which unfortunately > was only sent to the Debian BTS and not the the OpenSSL RT. I quote it > below. As indicated in the answer, setting the EXFLAG_PROXY allows > handling non-RFC proxies in OpenSSL. > > mån 2016-07-11 klockan 14:53 +0200 skrev Mischa Salle: > > Hi Richard, Mattias, others, > > > > I agree with you that it would be nice if OpenSSL could figure out > > itself whether a cert needs to be treated as a proxy, but currently > > that > > doesn't work reliably as far as I know. > > The flag is certainly needed in the case of non-RFC3820 proxies, also > > known as legacy proxies. Unfortunately these are still very widely > > used > > (majority of the proxies actually) and hence our code must be able to > > handle them correctly. > > > > Best wishes, > > Mischa Sallé > > Ok... From looking at the voms code that was linked to earlier, I can see that legacy proxy certs are recognised by an older OID (called PROXYCERTINFO_V3 in the code), 1.3.6.1.4.1.3536.1.222. Is there a spec for the extensions in that version, whether they are critical or not and so on, that I can reach? Or is the OID the only actual difference? If it's easy enough (and it currently does look quite easy), I can certainly see adding some code in OpenSSL to recognise those... -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
ons 2016-07-20 klockan 15:14 + skrev Richard Levitte via RT: > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > > > > I guess having a more restrictive accessor that only sets the > > EXFLAG_PROXY bit could work. I suggested the more general solution of > > having set/clear accessors for arbitrary flags since it was - well > > more > > general. > > So let me ask this in a different manner, does OpenSSL 1.1 still not set the > EXFLAG_PROXY flag correctly? In what situations does that happen? That may be > worth a bug report of its own. > > -- > Richard Levitte > levi...@openssl.org > The answer to this is related to Mischa's reply, which unfortunately was only sent to the Debian BTS and not the the OpenSSL RT. I quote it below. As indicated in the answer, setting the EXFLAG_PROXY allows handling non-RFC proxies in OpenSSL. mån 2016-07-11 klockan 14:53 +0200 skrev Mischa Salle: > Hi Richard, Mattias, others, > > I agree with you that it would be nice if OpenSSL could figure out > itself whether a cert needs to be treated as a proxy, but currently that > doesn't work reliably as far as I know. > The flag is certainly needed in the case of non-RFC3820 proxies, also > known as legacy proxies. Unfortunately these are still very widely used > (majority of the proxies actually) and hence our code must be able to > handle them correctly. > > Best wishes, > Mischa Sallé > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
Hi Richard, On 20/07/16 17:14, Richard Levitte via RT wrote: > On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: >> I guess having a more restrictive accessor that only sets the >> EXFLAG_PROXY bit could work. I suggested the more general solution of >> having set/clear accessors for arbitrary flags since it was - well >> more >> general. > So let me ask this in a different manner, does OpenSSL 1.1 still not set the > EXFLAG_PROXY flag correctly? In what situations does that happen? That may be > worth a bug report of its own. > this ties into my earlier question and example of verifying proxy certificates. What if I want to explicitly *set* the EXFLAG_PROXY for a stack of certificates? how would I do that? how can I ensure that OpenSSL 1.1 will automagically trigger this flag for me? Is there a 'get_*' function to determine which flags were set during certificate verification? thanks for any pointers or advice, JJK / Jan Just Keijser -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon Jul 11 14:04:22 2016, dw...@infradead.org wrote: > I was using store.get_issuer() in OpenConnect too, because I need to > manually build the trust chain to include it on the wire — because > even today the server might *still* suffer RT#1942 and fail to trust > our client cert unless we help it by providing the *right* chain. Is this still true with OpenSSL 1.1? If so, please file a report. > I've worked around the lack of access to get_issuer() by doing a dummy > call to X509_verify_cert(), throwing away its result and then hoping > that we have something useful in store.chain (which we *can* still > access). That seems to work but I'm not stunningly happy with it; if > we > can have an accessor I'd much rather go back to doing it the old way. > > http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0 > (in workaround_openssl_certchain_bug() in the hunk around line 1306) https://github.com/openssl/openssl/pull/1294 currently provides a setter for get_issuer in X509_STORE. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon Jul 11 11:34:35 2016, mattias.ell...@physics.uu.se wrote: > I guess having a more restrictive accessor that only sets the > EXFLAG_PROXY bit could work. I suggested the more general solution of > having set/clear accessors for arbitrary flags since it was - well > more > general. So let me ask this in a different manner, does OpenSSL 1.1 still not set the EXFLAG_PROXY flag correctly? In what situations does that happen? That may be worth a bug report of its own. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
On Mon, 2016-07-11 at 13:08 +, Mattias Ellert via RT wrote: > > > Looking at the various places in the code where get_issuer > and check_issued are accessed, they mostly use the context rather than > the store. Here are the places I have found: > > https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71 > > https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581 > > https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367 > > https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059 > > https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997 > > And the following one actually uses the store and not the context: > > https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448 I was using store.get_issuer() in OpenConnect too, because I need to manually build the trust chain to include it on the wire — because even today the server might *still* suffer RT#1942 and fail to trust our client cert unless we help it by providing the *right* chain. I've worked around the lack of access to get_issuer() by doing a dummy call to X509_verify_cert(), throwing away its result and then hoping that we have something useful in store.chain (which we *can* still access). That seems to work but I'm not stunningly happy with it; if we can have an accessor I'd much rather go back to doing it the old way. http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/0d635a0 (in workaround_openssl_certchain_bug() in the hunk around line 1306) -- dwmw2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: Missing accessors
fre 2016-07-08 klockan 06:08 + skrev Richard Levitte via RT: > On Thu Jul 07 21:29:09 2016, levitte wrote: > > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > > /* Add to include/openssl/x509_vfy.h : */ > > > > > > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer, > > > X509_STORE_CTX > > > *ctx, X509 *x); > > > typedef int (*X509_STORE_CTX_check_issued)(X509_STORE_CTX *ctx, > > > X509 > > > *x, X509 *issuer); > > > > > > void X509_STORE_CTX_set_get_issuer(X509_STORE_CTX *ctx, > > > X509_STORE_CTX_get_issuer > > > get_issuer); > > > X509_STORE_CTX_get_issuer > > > X509_STORE_CTX_get_get_issuer(X509_STORE_CTX > > > *ctx); > > > void X509_STORE_CTX_set_check_issued(X509_STORE_CTX *ctx, > > > X509_STORE_CTX_check_issued > > > check_issued); > > > X509_STORE_CTX_check_issued > > > X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); > > > > For this part, https://github.com/openssl/openssl/pull/1294 > > So, looking at this again after some sleep, there's a part of this > solution > that I'm unsure of, and it all comes back to X509_STORE_CTX_init(), > where the > X509_STORE context gets initialised from the X509_STORE, including > all the > function pointers. This has me wonder if the X509_STORE_CTX setters > should > really be made available (perhaps with the exception of the verify > and > verify_cb ones). Doesn't it make more sense to set those function > pointers when > creating the X509_STORE itself? Why would those functions need to be > changed in > the context? > > Cheers, > Richard > > -- > Richard Levitte > levi...@openssl.org > Looking at the various places in the code where get_issuer and check_issued are accessed, they mostly use the context rather than the store. Here are the places I have found: https://sources.debian.net/src/nordugrid-arc/5.1.2-1/src/hed/libs/credential/CertUtil.cpp/#L71 https://sources.debian.net/src/canl-c/2.1.6-2/src/proxy/sslutils.c/#L1581 https://sources.debian.net/src/voms/2.0.13-1/src/sslutils/sslutils.c/#L1588 https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L367 https://sources.debian.net/src/globus-gsi-callback/5.8-2/library/globus_gsi_callback.c/#L1059 https://sources.debian.net/src/globus-gsi-credential/7.9-2/library/globus_gsi_cred_handle.c/#L1997 And the following one actually uses the store and not the context: https://sources.debian.net/src/globus-gssapi-gsi/12.1-1/library/globus_i_gsi_gss_utils.c/#L448 Mattias -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted smime.p7s Description: S/MIME cryptographic signature
Bug#829272: Missing accessors
On Thu Jul 07 21:29:09 2016, levitte wrote: > On Sat Jul 02 10:59:38 2016, k...@roeckx.be wrote: > > /* Add to include/openssl/x509_vfy.h : */ > > > > typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer, X509_STORE_CTX > > *ctx, X509 *x); > > typedef int (*X509_STORE_CTX_check_issued)(X509_STORE_CTX *ctx, X509 > > *x, X509 *issuer); > > > > void X509_STORE_CTX_set_get_issuer(X509_STORE_CTX *ctx, > > X509_STORE_CTX_get_issuer > > get_issuer); > > X509_STORE_CTX_get_issuer X509_STORE_CTX_get_get_issuer(X509_STORE_CTX > > *ctx); > > void X509_STORE_CTX_set_check_issued(X509_STORE_CTX *ctx, > > X509_STORE_CTX_check_issued > > check_issued); > > X509_STORE_CTX_check_issued > > X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); > > For this part, https://github.com/openssl/openssl/pull/1294 So, looking at this again after some sleep, there's a part of this solution that I'm unsure of, and it all comes back to X509_STORE_CTX_init(), where the X509_STORE context gets initialised from the X509_STORE, including all the function pointers. This has me wonder if the X509_STORE_CTX setters should really be made available (perhaps with the exception of the verify and verify_cb ones). Doesn't it make more sense to set those function pointers when creating the X509_STORE itself? Why would those functions need to be changed in the context? Cheers, Richard -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
Bug#829272: [Pkg-openssl-devel] Bug#829272: Missing accessors
forwarded 829272 https://rt.openssl.org/Ticket/Display.html?id=4602&user=guest&pass=guest thanks On Fri, Jul 01, 2016 at 10:52:40PM +0200, Mattias Ellert wrote: > > I got a lot of bugs filed about packages FTBFS with openssl 1.1.0. > I started to look at some of them, and many of them are due too > structures having been made opaque. In many cases accessors already > exists, but definitely not for all. I forwarded this upstream. Kurt
Bug#829272: Missing accessors
Package: openssl Version: 1.1.0~pre5-4 Severity: important Control: block 828316 by -1 Control: block 828318 by -1 Control: block 828595 by -1 Hi! I got a lot of bugs filed about packages FTBFS with openssl 1.1.0. I started to look at some of them, and many of them are due too structures having been made opaque. In many cases accessors already exists, but definitely not for all. Here is a list of accessors I so far have identified as missing. The filenames given in the "Add to ..." comments below are suggestions based on where similar functions are defined and implemented. /* Add to include/openssl/x509_vfy.h : */ typedef int (*X509_STORE_CTX_get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); typedef int (*X509_STORE_CTX_check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); void X509_STORE_CTX_set_get_issuer(X509_STORE_CTX *ctx, X509_STORE_CTX_get_issuer get_issuer); X509_STORE_CTX_get_issuer X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx); void X509_STORE_CTX_set_check_issued(X509_STORE_CTX *ctx, X509_STORE_CTX_check_issued check_issued); X509_STORE_CTX_check_issued X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); /* Add to crypto/x509/x509_vfy.c : */ void X509_STORE_CTX_set_get_issuer(X509_STORE_CTX *ctx, X509_STORE_CTX_get_issuer get_issuer) { ctx->get_issuer = get_issuer; } X509_STORE_CTX_get_issuer X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx) { return ctx->get_issuer; } void X509_STORE_CTX_set_check_issued(X509_STORE_CTX *ctx, X509_STORE_CTX_check_issued check_issued) { ctx->check_issued = check_issued; } X509_STORE_CTX_check_issued X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx) { return ctx->check_issued; } /* Add to include/openssl/x509v3.h */ void X509_set_extension_flags(X509 *x, uint32_t ex_flags); void X509_clear_extension_flags(X509 *x, uint32_t ex_flags); /* Add to crypto/x509v3/v3_purp.c */ void X509_set_extension_flags(X509 *x, uint32_t ex_flags) { x->ex_flags |= ex_flags; } void X509_clear_extension_flags(X509 *x, uint32_t ex_flags) { x->ex_flags &= ~ex_flags; } Regarding the new locking. Do I understand it correctly that e.g. CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); should be replaced by something like CRYPTO_THREAD_write_lock(X509_STORE_get_lock(ctx)); But then the accessors to get hold of the lock objects in the opaque structs are missing. E.g. /* Add to some header file */ CRYPTO_RWLOCK *X509_STORE_get_lock(X509_STORE *ctx); /* Add to some implementation file */ /* Add to crypto/x509/x509_lu.c */ CRYPTO_RWLOCK *X509_STORE_get_lock(X509_STORE *v) { return v->lock; } Repeat for other relevant classes with locks. Mattias signature.asc Description: This is a digitally signed message part