I have a X509_STORE* pointer, my goal is to get its associated X509_STORE_CTX* pointer. May I know how to do this? I cannot get access to where initialize the X509_STORE_CTX*.

probably this is a simple question, but I check the OpenSSL manual API and its related header file again and again, not find any API could do this. Thanks.

CodePudding user response：

A single X509_STORE can be used/shared by an unlimited number of X509_STORE_CTX, but most of the time isn't used/referenced by any, so an API to get "its ... pointer" makes no sense and does not exist.

This (not at all coincidentally) reflects a similar, but inversely named, difference at the SSL module (libssl) level. An SSL_CTX object defines security parameters that can be used by any number of connections each implemented as an SSL object. In the original design, the SSL_CTX owns an X509_STORE representing the truststore -- the set of roots (or other anchors if PARTIAL_CHAIN is used) used to validate peer certs and potentially to build out 'own' chains -- which you can modify using the CTX APIs like SSL_CTX_load_verify_locations or you can get the (automatically created) store with SSL_CTX_get_cert_store and modify it or create your own and install it with SSL_CTX_set_cert_store. OTOH each SSL dynamically creates its own X509_STORE_CTX while validating or sending a cert; no X509_STORE_CTX exists at other times. In 1.0.2 up an SSL by default uses the SSL_CTX store but you can override with SSL_set[01]_{verify,chain}_cert_store.

When you create an X509_STORE_CTX you identify the X509_STORE to use with X509_STORE_CTX_init. When you _free it this use/reference is terminated.