Pass other fields to x509.store:verify()
daurnimator opened this issue · comments
Extend x509.store:verify()
to take other fields
X509_STORE_CTX_set0_param
X509_STORE_CTX_set0_crls
I suggest that the function should instead take a table.
Additionally, the store
argument is optional: so perhaps this function shouldn't live as a store method?
I was considering if it should be under the plain openssl.x509
module. The only compulsory argument is the cert itself. The C function is int X509_verify_cert(X509_STORE_CTX *ctx);
. However the man page has under BUGS:
This function uses the header x509.h as opposed to most chain verification functions which use x509_vfy.h
Which suggests that maybe placing it under x509 would be a mistake?
Perhaps as just as static method/normal function in the x509.store module?
It looks like a store
internally does have most of the extra fields you can set. e.g. a store contains it's own X509_VERIFY_PARAMS
.
What is odd though, is that a SSL_CTX
doesn't use any of these X509_STORE
fields.
This makes it hard to ensure that someone using the same store gets the same results when creating an SSL connection vs when calling :verify()
It looks like OpenSSL does verification in a roundabout way: SSL_CTX
settings are copied into the SSL
object, then the verification occurs in ssl_verify_cert_chain
in ssl/ssl_cert.c
Email sent to openssl-users list: https://mta.openssl.org/pipermail/openssl-users/2018-July/008273.html
Is there any update on this?
Has the support for X509_STORE_CTX_set0_param API being given?
@shagunagarwal89 what is your use case for this?
I ended up not needing this for the project I was working on.
@daurnimator, To add on to the query raised by @shagunagarwal89, the usecase we are trying to achieve is as follows,
-
We have Nginx server which is doing the SSL Handshake with 2-way SSL, But in this case Nginx will not validate the SSL Client certificate, it will just receive the Client Certificate during Handshake process.
We use the below option in nginx to achieve that,
ssl_verify_client optional_no_ca
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
The optional_no_ca parameter requests the client certificate but does not require it to be signed by a trusted CA certificate. This is intended for the use in cases when a service that is external to nginx performs the actual certificate verification
So, as per the above option, in this case we are using luaossl module to performs the actual certificate verification. -
We are able to verify the Client Certificate with luaossl successfully using the below code
Lua Code Snippet
-- Add Certificates to Store
local ca_store
local openssl_ca_store = openssl_store.new()
ca_store = openssl_ca_store:add("/home/certs/ca_certs.crt")
--Verify Incoming Certificate with Certificate from store
local ca_check, err = ca_store:verify(openssl_x509.new(ngx.var.ssl_client_s_dn ))
But the problem is, we are not able to set the Verification depth of the Certificate.
Please let us know, how to proceed in this case.