cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: certinfo and ASN.1

From: Patrick Monnerat <Patrick.Monnerat_at_datasphere.ch>
Date: Wed, 27 Mar 2013 14:18:03 +0100

 

Oscar Koeroo wrote:

> I'm trying to get a hold of Qssl/QsoSSL's API and a test machine to
fix some of these limitations. If you have pointers on how to get me
closer to QsoSSL (API spec and library to test or a test system) that
would be appreciated.

First, I hope you're aware that it's pure OS/400 dialect :-(

Mmm, I would not spend too much time on it: I've already tried many
things around it without success. I think QsoSSL internally uses static
storage for the SSL environment: you then can get two distinct
environments (cert store, app id, etc) simultaneously. There's no SNI
support (GSKit introduces it in V7R1), handshake is always blocking,
etc. In additionl IBM recommends using GSKit for new developments since
it is supported on all IBM platforms while QsoSSL is OS/400 only. See:
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/index.jsp?topic=%2Frzab
6%2Fcssl.htm

For your tests: You have to get access to an IBM AS/400 (aka iSeries or
i5) computer. I'm afraid I can't give you an access on ours.
QsoSSL doc:
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzab6/cssl2.htm
GSKit doc:
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzab6/cgskit.htm
The service programs (i.e.: equivalent to .so files) are installed
within the base system. To get the source include members, you have to
install C development and the QSYSINC library.

If no objection arises in the meantime, my long-term intentions are to
get a working GSKit backend, have a test period with QsoSSL enabled as
default SSL backend (for OS400), then another period with GSKit as
default, then retire QsoSSL that then, would become obsolete and
useless.

>> For these last 2 features, I had to duplicate code from ssluse.c
and
>> implement some minimalistic ASN.1/X509 processing.

> Which part did you duplicate? And which version of libcurl are you
using here?
> The 7.28-1 has the host matching functions extracted and pushed into a
separate file,
> used by the axtls and OpenSSL backends.

The *_certinfo_*(), verifyhost(), get_cert_chain() and corollary
procedures. I've adapted them to extract data from an X509 cert without
help from an external SSL library (a work in progress). And yes, I do
already use existing hosts functions.

Patrick

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2013-03-27