开发者

Using OpenSSL and Want to use multiple CA_DIRs for load verify locations

开发者 https://www.devze.com 2023-04-10 03:47 出处:网络
Rather than have a slew of certificates located in a single directory, I want to have certificates divided across several directories. Currently my server calls,开发者_开发技巧 SSL_CTX_load_verify_loc

Rather than have a slew of certificates located in a single directory, I want to have certificates divided across several directories. Currently my server calls,开发者_开发技巧 SSL_CTX_load_verify_locations(), for which only a single CA_DIR can be passed. Looks like others have wanted to do similar (see http://www.mail-archive.com/openssl-users@openssl.org/msg55557.html for example), but I can't find any documentation on the appropriate solution.

So I stared looking at the source for SSL_CTX_load_verify_locations(), which is a wrapper for X509_STORE_load_locations(), which calls X509_STORE_add_lookup() and then X509_LOOKUP_add_dir() once. So can I simply write something similar to X509_STORE_load_locations() but call X509_LOOKUP_add_dir() multiple times (i.e. once for each directory)?

Please advise.

PS: Where can I find documentation on the X509... API provided by openSSL? On www.openssl.org, I can only find http://www.openssl.org/docs/crypto/x509.html# , but I cannot find any link to X509_LOOKUP_add_dir() or other functions/macros exposed in the openssl x509 headers.


As the current answer is missing a code sample (sslctx is your SSL_CTX instance):

X509_STORE *store = SSL_CTX_get_cert_store(sslctx);
X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
X509_LOOKUP_add_dir(lookup, "/first/cert/dir", X509_FILETYPE_PEM);
X509_LOOKUP_add_dir(lookup, "/second/cert/dir", X509_FILETYPE_PEM);
X509_LOOKUP_add_dir(lookup, "/another/cert/dir", X509_FILETYPE_PEM); 

[I came here when I searched for how to add multiple CA paths in libcurl]


I asked:

So can I simply write something similar to X509_STORE_load_locations() but call X509_LOOKUP_add_dir() multiple times (i.e. once for each directory)?

The answer is yes, what I coded up worked.

Still, if anyone could point me to some documentation on the X509... API in openssl, that would be much appreciated!

0

精彩评论

暂无评论...
验证码 换一张
取 消