Pass other fields to x509.store:verify()

Question

Pass other fields to x509.store:verify()

daurnimator opened this issue 6 years ago · comments

Extend x509.store:verify() to take other fields

X509_STORE_CTX_set0_param
X509_STORE_CTX_set0_crls

I suggest that the function should instead take a table.

Additionally, the store argument is optional: so perhaps this function shouldn't live as a store method?
I was considering if it should be under the plain openssl.x509 module. The only compulsory argument is the cert itself. The C function is int X509_verify_cert(X509_STORE_CTX *ctx);. However the man page has under BUGS:

This function uses the header x509.h as opposed to most chain verification functions which use x509_vfy.h

Which suggests that maybe placing it under x509 would be a mistake?
Perhaps as just as static method/normal function in the x509.store module?

daurnimator · Answer 1 · Thu Jul 12 2018 16:25:01 GMT+0800 (China Standard Time)

It looks like a store internally does have most of the extra fields you can set. e.g. a store contains it's own X509_VERIFY_PARAMS.
What is odd though, is that a SSL_CTX doesn't use any of these X509_STORE fields.

This makes it hard to ensure that someone using the same store gets the same results when creating an SSL connection vs when calling :verify()

It looks like OpenSSL does verification in a roundabout way: SSL_CTX settings are copied into the SSL object, then the verification occurs in ssl_verify_cert_chain in ssl/ssl_cert.c

daurnimator · Answer 2 · Fri Jul 13 2018 08:48:16 GMT+0800 (China Standard Time)

Email sent to openssl-users list: https://mta.openssl.org/pipermail/openssl-users/2018-July/008273.html

shagun agarwal · Answer 3 · Thu May 09 2019 14:27:23 GMT+0800 (China Standard Time)

Is there any update on this?
Has the support for X509_STORE_CTX_set0_param API being given?

daurnimator · Answer 4 · Sat May 11 2019 08:38:16 GMT+0800 (China Standard Time)

@shagunagarwal89 what is your use case for this?
I ended up not needing this for the project I was working on.

premaind · Answer 5 · Mon May 13 2019 13:50:26 GMT+0800 (China Standard Time)

@daurnimator, To add on to the query raised by @shagunagarwal89, the usecase we are trying to achieve is as follows,

We have Nginx server which is doing the SSL Handshake with 2-way SSL, But in this case Nginx will not validate the SSL Client certificate, it will just receive the Client Certificate during Handshake process.
We use the below option in nginx to achieve that,
ssl_verify_client optional_no_ca
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
The optional_no_ca parameter requests the client certificate but does not require it to be signed by a trusted CA certificate. This is intended for the use in cases when a service that is external to nginx performs the actual certificate verification
So, as per the above option, in this case we are using luaossl module to performs the actual certificate verification.
We are able to verify the Client Certificate with luaossl successfully using the below code
Lua Code Snippet
-- Add Certificates to Store
local ca_store
local openssl_ca_store = openssl_store.new()
ca_store = openssl_ca_store:add("/home/certs/ca_certs.crt")

--Verify Incoming Certificate with Certificate from store
local ca_check, err = ca_store:verify(openssl_x509.new(ngx.var.ssl_client_s_dn ))

But the problem is, we are not able to set the Verification depth of the Certificate.
Please let us know, how to proceed in this case.

premaind · Answer 6 · Wed May 22 2019 15:25:39 GMT+0800 (China Standard Time)

@wahern, Please let us know, if this is achievable or any workaround for the same ?
Passing other fields to x509.store:verify(), to pass the ssl_verify_depth parameter