Bug #123934 for Net-SSLeay: Net::SSLeay 1.82 request to expose X509_STORE_CTX_new() and X509_verify

Fri Dec 22 12:06:06 2017 wintermte [...] gmail.com - Ticket created

Subject:	Net::SSLeay 1.82 request to expose X509_STORE_CTX_new() and X509_verify_cert()
Date:	Fri, 22 Dec 2017 11:04:59 -0600
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Daniell Freed <wintermte [...] gmail.com>

Feature request: expose X509_STORE_CTX_new() and X509_verify_cert(). As far as I can tell the only way to verify an x509 certificate structure is to do it via a connection to a remote server that is serving the certificate associated with that x509 structure. I’d like to be able to do verification on an x509 structure that was created by reading it in from a PEM file. Looking at the OpenSSL wiki, it appears (but I could be wrong) that the right way to do this is to create an X509_STORE_CTX, add the X509 to it, then use X509_verify_cert(). Unfortunately, neither X509_STORE_CTX_new() nor X509_verify_cert() are exposed in Net::SSLeay. Thanks, Dan Freed

Download signature.asc
application/pgp-signature 488b

Message body not shown because it is not plain text.

Fri Dec 22 17:14:14 2017 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #123934] Net::SSLeay 1.82 request to expose X509_STORE_CTX_new() and X509_verify_cert()
Date:	Sat, 23 Dec 2017 07:49:21 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Hello, Thanks. Support for these functions has now been added and is in SVN 512. Perhaps you might like to submit some test code for inclusion in the package? On Saturday, 23 December 2017 03:06:07 AEST you wrote: Show quoted text

> Fri Dec 22 12:06:06 2017: Request 123934 was acted upon. > Transaction: Ticket created by wintermte@gmail.com > Queue: Net-SSLeay > Subject: Net::SSLeay 1.82 request to expose X509_STORE_CTX_new() and > X509_verify_cert() Broken in: (no value) > Severity: (no value) > Owner: Nobody > Requestors: wintermte@gmail.com > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=123934 > > > > Feature request: expose X509_STORE_CTX_new() and X509_verify_cert(). > > As far as I can tell the only way to verify an x509 certificate structure is > to do it via a connection to a remote server that is serving the > certificate associated with that x509 structure. > > I’d like to be able to do verification on an x509 structure that was created > by reading it in from a PEM file. > > Looking at the OpenSSL wiki, it appears (but I could be wrong) that the > right way to do this is to create an X509_STORE_CTX, add the X509 to it, > then use X509_verify_cert(). Unfortunately, neither X509_STORE_CTX_new() > nor X509_verify_cert() are exposed in Net::SSLeay. > > Thanks, > Dan Freed

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Fri Dec 22 17:14:16 2017 The RT System itself - Status changed from 'new' to 'open'

Thu Jan 25 11:00:59 2018 wintermte [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #123934] Net::SSLeay 1.82 request to expose X509_STORE_CTX_new() and X509_verify_cert()
Date:	Thu, 25 Jan 2018 10:00:18 -0600
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Daniell Freed <wintermte [...] gmail.com>

This didn’t have the effect I was hoping for, and I’ve not had the time to dig into this more. Thanks for adding the call, but I’ve worked around this for now. Thanks, Dan Freed Show quoted text

> On Dec 22, 2017, at 4:14 PM, Mike McCauley via RT <bug-Net-SSLeay@rt.cpan.org> wrote: > > <URL: https://rt.cpan.org/Ticket/Display.html?id=123934 > > > Hello, > > Thanks. > Support for these functions has now been added and is in SVN 512. > > Perhaps you might like to submit some test code for inclusion in the package? > > > On Saturday, 23 December 2017 03:06:07 AEST you wrote:

>> Fri Dec 22 12:06:06 2017: Request 123934 was acted upon. >> Transaction: Ticket created by wintermte@gmail.com >> Queue: Net-SSLeay >> Subject: Net::SSLeay 1.82 request to expose X509_STORE_CTX_new() and >> X509_verify_cert() Broken in: (no value) >> Severity: (no value) >> Owner: Nobody >> Requestors: wintermte@gmail.com >> Status: new >> Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=123934 > >> >> >> Feature request: expose X509_STORE_CTX_new() and X509_verify_cert(). >> >> As far as I can tell the only way to verify an x509 certificate structure is >> to do it via a connection to a remote server that is serving the >> certificate associated with that x509 structure. >> >> I’d like to be able to do verification on an x509 structure that was created >> by reading it in from a PEM file. >> >> Looking at the OpenSSL wiki, it appears (but I could be wrong) that the >> right way to do this is to create an X509_STORE_CTX, add the X509 to it, >> then use X509_verify_cert(). Unfortunately, neither X509_STORE_CTX_new() >> nor X509_verify_cert() are exposed in Net::SSLeay. >> >> Thanks, >> Dan Freed

> > > -- > Mike McCauley VK4AMM mikem@airspayce.com > Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia > http://www.airspayce.com > Phone +61 7 5598-7474 >

Download signature.asc
application/pgp-signature 488b

Message body not shown because it is not plain text.

Tue Dec 11 20:55:08 2018 reisner.marc [...] gmail.com - Correspondence added

Could you also include X509_STORE_CTX_init? I think that would allow verification of a certificate.

Wed Dec 12 00:18:16 2018 reisner.marc [...] gmail.com - Correspondence added

I put together some C code that does exactly what Dan is requesting. We need the following methods. Some already exist, some do not. X509_STORE_new X509_STORE_add_lookup X509_STORE_add_cert X509_LOOKUP_hash_dir X509_LOOKUP_add_dir X509_FILETYPE_PEM X509_STORE_CTX_new X509_STORE_CTX_init X509_verify_cert X509_verify_cert_error_string X509_STORE_CTX_get_error X509_STORE_CTX_free X509_STORE_free

Fri Dec 14 00:14:04 2018 reisner.marc [...] gmail.com - Correspondence added

I sent the following email directly to Mike: Mike, I'm having a hard time figuring out how to contribute to Net::SSLeay. Is this still on SVN, or has it moved to a git repository somewhere? The link to SVN in CPAN doesn't work and I can't find any instructions on how to contribute. I'd like to submit the patch that is attached. Let me know if this should be in a different format or if I should contact someone else. Thanks, Marc

Subject:

verify.patch

Message body is not shown because it is too large.

Wed Feb 27 16:12:52 2019 chrisn [...] cpan.org - Correspondence added

On Fri Dec 14 05:14:04 2018, reisner.marc@gmail.com wrote: Show quoted text

> I sent the following email directly to Mike: > > Mike, > > I'm having a hard time figuring out how to contribute to Net::SSLeay. > Is this still on SVN, or has it moved to a git repository somewhere? > The link to SVN in CPAN doesn't work and I can't find any instructions > on how to contribute. > > I'd like to submit the patch that is attached. > > Let me know if this should be in a different format or if I should > contact someone else. > > Thanks, > Marc

Just confirming that this patch was merged as part of two separate pull requests on GitHub, with none of the code in the patch left outstanding following PR #110: https://github.com/radiator-software/p5-net-ssleay/pull/107 https://github.com/radiator-software/p5-net-ssleay/pull/110 So I'll mark this as "patched", pending resolution when the next developer release is uploaded to CPAN. Thanks again, Marc!

Wed Feb 27 16:12:53 2019 chrisn [...] cpan.org - Status changed from 'open' to 'patched'

Wed Feb 27 16:12:54 2019 chrisn [...] cpan.org - Taken

Tue Mar 12 14:39:59 2019 chrisn [...] cpan.org - Status changed from 'patched' to 'resolved'

Tue Mar 12 14:39:59 2019 chrisn [...] cpan.org - Fixed in 1.86_08 added

Bug #123934 for Net-SSLeay: Net::SSLeay 1.82 request to expose X509_STORE_CTX_new() and X509_verify_cert()