On Sat, Jul 23, 2016 at 09:44:18AM +0000, Richard Levitte via RT wrote: > To get current_cert, it's X509_STORE_CTX_get_current_cert(). > To get current_issuer, it's X509_STORE_CTX_get0_current_issuer()
Hi Richard, yes, those I know, but the problem is the *setting* of the failing cert. Since we need to walk the whole chain for the proxy pathlength verification, we need to be able to indicate which cert is failing. See e.g. https://github.com/globus/globus-toolkit/blob/globus_6_branch/gsi/callback/source/library/globus_gsi_callback.c#L1691 and further, in particular line 1731. VOMS is basically using the same code https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c#L2236 and further, in particular line 2255. Jan Just also sets the current_issuer in his grid-proxy-verify.c, http://www.nikhef.nl/~janjust/proxy-verify/ line 346, but I'm not sure that's necessary. Mischa > > Those functions are already present in pre-1.1 OpenSSL (at least in the 1.0.2 > series) > > On Fri Jul 22 15:51:16 2016, msa...@nikhef.nl wrote: > > Hi, > > > > unless I didn't look careful enough I think we might still be missing > > the current_cert (and current_issuer) from the X509_STORE_CTX, as > > advertised in > > > https://github.com/openssl/openssl/blob/master/doc/HOWTO/proxy_certificates.txt#L204 > > and used in e.g. > > https://github.com/italiangrid/voms/blob/master/src/sslutils/sslutils.c > > and many other places for verifying the proxy chain or is there a > > better/other solution for that? > > > > Best wishes, > > Mischa > > > > On Fri, Jul 22, 2016 at 03:26:26PM +0000, Richard Levitte via RT > > wrote: > > > In addition to github PR 1294, there's now also PR 1339 which adds > > > the function to set the EXFLAG_PROXY flag on a given certificate. > > > > > > Also, PR 1295 has been updated. Instead of a function that returns a > > > lock, there is now a lock and an unlock function. > > > > > > To me, it seems that that covers what's being asked for. Perhaps not > > > exactly (the setters are for X509_STORE only), but should be > > > workable. > > > > > > (writing this from my mobile, sorry for the lack of github links) > > > > > > -- > > > Richard Levitte > > > levi...@openssl.org > > > -- > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > > > Please log in as guest with password guest if prompted > > > > > > -- > > > To unsubscribe, send mail to 829272-unsubscr...@bugs.debian.org. > > > -- > Richard Levitte > levi...@openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 > Please log in as guest with password guest if prompted > -- Nikhef Room H155 Science Park 105 Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msa...@nikhef.nl __ .. ... _._. .... ._ ... ._ ._.. ._.. .._.. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4602 Please log in as guest with password guest if prompted
smime.p7s
Description: S/MIME cryptographic signature
