[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pkinit, openssl engines, and cert retrieval.

To: heimdal-discuss@sics.se
Subject: pkinit, openssl engines, and cert retrieval.
From: "Matthew N. Andrews" <matt@slackers.net>
Date: Wed, 19 Oct 2005 11:57:35 -0700
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

as I mentioned in earlier posts, I'm working on an openssl engine which
will aquire a cert/key from a myproxy server using the "myproxy
protocol"(not the pretiest thing in the world, but I digress). My
original intent was to implement the LOAD_CERT_CTRL ENGINE_ctrl_cmd that
~ heimdal uses in the following code snippet:

~  /*
~     * If the engine supports a LOAD_CERT_CTRL function, lets try
~     * it. OpenSC support this function. Eventially this should be
~     * a ENGINE_load_cert function if it failes, treat it like a
~     * non fatal error.
~     */
~    {
	struct {
	    const char * cert_id;
	    X509 * cert;
	} parms;

	parms.cert_id = ctx.cert_file;
	parms.cert = NULL;
	ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
	if (parms.cert) {
	    id->cert = sk_X509_new_null();
	    sk_X509_insert(id->cert, parms.cert, 0);	
	}
~    }

the limitation which I realized was that this allows retrieval of a
single cert from the engine which does not quite match up with the
functionality provided by the load_openssl_cert() function which allows
loading a complete certificate chain from a file. Since the myproxy
server provides the client with a certificate chain it would be nice to
be able to retrieve that via the engine api. Would something like the
following make sense/be acceptable?

~    {
~        struct {
	    const char * cert_id;
	    STACK_OF(X509) * chain;
	} parms;
	parms.cert_id = ctx.cert_file;
	parms.cert = NULL;
	ENGINE_ctrl_cmd(e, "LOAD_CERT_CHAIN_CTRL", 0, &parms, NULL, 1);
	if (parms.chain)
	    id->cert = parms.chain;
~    }
~    if (id->cert == NULL) {
	struct {
	    const char * cert_id;
	    X509 * cert;
	} parms;

	parms.cert_id = ctx.cert_file;
	parms.cert = NULL;
	ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
	if (parms.cert) {
	    id->cert = sk_X509_new_null();
	    sk_X509_insert(id->cert, parms.cert, 0);	
	}
~    }

- -Matt Andrews
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDVpcepLF3UzlwZVgRAsAaAKDwvXOs+OjEjN0iDeh9o7EGT6WH2gCfU4FW
LDuBEP2323Txx/obEIpQMTU=
=f8Rx
-----END PGP SIGNATURE-----

Prev by Date: Re: Easiest way to get service ticket after obtaining tgt
Next by Date: RE: pkinit, openssl engines, and cert retrieval.
Prev by thread: EMERGENCY!
Next by thread: RE: pkinit, openssl engines, and cert retrieval.
Index(es):
- Date
- Thread