I have a X509_STORE* pointer, my goal is to get its associated X509_STORE_CTX* pointer. May I know how to do this? I cannot get access to where initialize the X509_STORE_CTX*.
probably this is a simple question, but I check the OpenSSL manual API and its related header file again and again, not find any API could do this. Thanks.
CodePudding user response:
A single X509_STORE
can be used/shared by an unlimited number of X509_STORE_CTX
, but most of the time isn't used/referenced by any, so an API to get "its ... pointer" makes no sense and does not exist.
This (not at all coincidentally) reflects a similar, but inversely named, difference at the SSL
module (libssl) level. An SSL_CTX
object defines security parameters that can be used by any number of connections each implemented as an SSL
object. In the original design, the SSL_CTX
owns an X509_STORE
representing the truststore -- the set of roots (or other anchors if PARTIAL_CHAIN is used) used to validate peer certs and potentially to build out 'own' chains -- which you can modify using the CTX
APIs like SSL_CTX_load_verify_locations
or you can get the (automatically created) store with SSL_CTX_get_cert_store
and modify it or create your own and install it with SSL_CTX_set_cert_store
. OTOH each SSL
dynamically creates its own X509_STORE_CTX
while validating or sending a cert; no X509_STORE_CTX
exists at other times. In 1.0.2 up an SSL
by default uses the SSL_CTX
store but you can override with SSL_set[01]_{verify,chain}_cert_store
.
When you create an X509_STORE_CTX
you identify the X509_STORE
to use with X509_STORE_CTX_init
. When you _free
it this use/reference is terminated.