cert already in hash table - Openssl

This is a discussion on cert already in hash table - Openssl ; Sorry for the double ;-) Hello, I getting crazy ! In one application I insert CA certificates and CRLs in the X509_STORE. This store is included in the SSL_CTX. No problem. The certificate verification process during handshake runs like a ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: cert already in hash table

  1. cert already in hash table

    Sorry for the double ;-)
    Hello,


    I getting crazy !
    In one application I insert CA certificates and CRLs in the X509_STORE.
    This store is included in the SSL_CTX. No problem. The certificate
    verification process during handshake runs like a charm.

    In a second application, I create an X509_STORE and try to insert my CA
    certificates and CRL lists and right at the FIRST insertion of a CA I get:
    error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert
    already in hash table

    It is not possible : the store is empty !

    I tried even to create a dummy SSL_CTX and use its store like I do in
    the other application (I imagined that the SSL_CTX creation may be made
    some initialisation in the store...) : same result.
    i.e. : the same code runs smoothly in one application and not in the
    second one !

    I compared the compilation environment (command parameters, includes)
    and didn't find any significant difference, except that the second
    application is compiled with the option "-D_FILE_OFFSET_BITS=64". Could
    it be the cause of my misery ???

    Hereafter is the code :


    #include

    if ( (G_store = X509_STORE_new()) == NULL){
    trace_s(O_UTL, 0, LV_ERR, "Erreur l'allocation du X509_STORE
    pour CAs et CRLs.");
    return(-1);
    }
    CA = Gl_listeCA;
    while (CA != NULL){
    if (!(err = X509_STORE_add_cert(G_store, CA->x509))) {
    trace_si(O_UTL, 0, LV_ERR, "Erreur l'insertion d'un
    certificat dans le STORE.CA N :", CA->num);
    X509_NAME_oneline(X509_get_subject_name(CA->x509), bid,
    sizeof(bid)-1);
    trace_ss(O_UTL, 0, LV_ERR, " Sujet :", bid);
    X509_NAME_oneline(X509_get_issuer_name(CA->x509), bid,
    sizeof(bid)-1);
    trace_ss(O_UTL, 0, LV_ERR, " Sujet :", bid);
    trace_si(O_UTL, 0, LV_ERR, "Erreur :", err);
    err = ERR_get_error();
    trace_ss(O_UTL, 0, LV_ERR, " ", ERR_error_string(err, NULL));
    flush_trace();
    }
    }

    The "CA" is a structure containing the certificate in 2 formats : DER
    and the internal X509 structure and some other informations. Gl_listeCA
    is a global chained list of these structures. It's the same architecture
    in the running application.
    The X509 looks correct : the subject and the issuer are extracted
    without any problem in order to print details on the error.

    Compilation parameters :
    gcc -c -g -ggdb -D_FILE_OFFSET_BITS=64 -Wno-comment -Wno-unused -ansi
    -D_BSD_SOURCE -D_XOPEN_SOURCE -Dunix

    Both applications are linked with libcrypto and libssl 0.9.8

    Thanks in advance for any clue !

    --
    Francis GASCHET / NUMLOG
    http://www.numlog.fr
    Tel.: +33 (0) 130 791 616
    Fax.: +33 (0) 130 819 286



    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: cert already in hash table

    Hi,

    The only thing I see in your code is that, inside the while block, you are
    not setting the CA variable to the next element of the list Gl_listeCA.
    Thus, at the second loop you will always get an error when calling
    X509_STORE_add_cert because CA->x509 is pointing to the same certificate
    as in the previous loop.
    Can you confirm that the code is really like this? Does the working
    application have the same code?

    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr

    On Thu, May 29, 2008 8:24 pm, Francis GASCHET wrote:
    > Sorry for the double ;-)
    > Hello,
    >
    >
    > I getting crazy !
    > In one application I insert CA certificates and CRLs in the X509_STORE.
    > This store is included in the SSL_CTX. No problem. The certificate
    > verification process during handshake runs like a charm.
    >
    > In a second application, I create an X509_STORE and try to insert my CA
    > certificates and CRL lists and right at the FIRST insertion of a CA I get
    > :
    > error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert
    > already in hash table
    >
    > It is not possible : the store is empty !
    >
    > I tried even to create a dummy SSL_CTX and use its store like I do in
    > the other application (I imagined that the SSL_CTX creation may be made
    > some initialisation in the store...) : same result.
    > i.e. : the same code runs smoothly in one application and not in the
    > second one !
    >
    > I compared the compilation environment (command parameters, includes)
    > and didn't find any significant difference, except that the second
    > application is compiled with the option "-D_FILE_OFFSET_BITS=64". Could
    > it be the cause of my misery ???
    >
    > Hereafter is the code :
    >
    >
    > #include
    >
    > if ( (G_store = X509_STORE_new()) == NULL){
    > trace_s(O_UTL, 0, LV_ERR, "Erreur l'allocation du X509_STORE
    > pour CAs et CRLs.");
    > return(-1);
    > }
    > CA = Gl_listeCA;
    > while (CA != NULL){
    > if (!(err = X509_STORE_add_cert(G_store, CA->x509))) {
    > trace_si(O_UTL, 0, LV_ERR, "Erreur l'insertion d'un
    > certificat dans le STORE.CA N :", CA->num);
    > X509_NAME_oneline(X509_get_subject_name(CA->x509), bid,
    > sizeof(bid)-1);
    > trace_ss(O_UTL, 0, LV_ERR, " Sujet :", bid);
    > X509_NAME_oneline(X509_get_issuer_name(CA->x509), bid,
    > sizeof(bid)-1);
    > trace_ss(O_UTL, 0, LV_ERR, " Sujet :", bid);
    > trace_si(O_UTL, 0, LV_ERR, "Erreur :", err);
    > err = ERR_get_error();
    > trace_ss(O_UTL, 0, LV_ERR, " ", ERR_error_string(err,
    > NULL));
    > flush_trace();
    > }
    > }
    >
    > The "CA" is a structure containing the certificate in 2 formats : DER
    > and the internal X509 structure and some other informations. Gl_listeCA
    > is a global chained list of these structures. It's the same architecture
    > in the running application.
    > The X509 looks correct : the subject and the issuer are extracted
    > without any problem in order to print details on the error.
    >
    > Compilation parameters :
    > gcc -c -g -ggdb -D_FILE_OFFSET_BITS=64 -Wno-comment -Wno-unused -ansi
    > -D_BSD_SOURCE -D_XOPEN_SOURCE -Dunix
    >
    > Both applications are linked with libcrypto and libssl 0.9.8
    >
    > Thanks in advance for any clue !
    >
    > --
    > Francis GASCHET / NUMLOG
    > http://www.numlog.fr
    > Tel.: +33 (0) 130 791 616
    > Fax.: +33 (0) 130 819 286
    >


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. Re: cert already in hash table

    Hi

    Bingo !
    I'm a stupid freak imbecile guy :-! :-[ :'(
    I've just a very tiny excuse : the 3 lines of code I didn't show you,
    which are executed when there is no error are supposed to log the stored
    certificate. But the log was set up at a too detailed level, which I
    don't activate usually !
    So I never saw that the first certificate was correctly inserted during
    the first loop !

    Anyway I feel like somebody escaping from a psychiatric hospital !
    Give me your address : you won a bottle of french wine !

    Thanks and best regards,

    --
    Francis GASCHET / NUMLOG
    http://www.numlog.fr
    Tel.: +33 (0) 130 791 616
    Fax.: +33 (0) 130 819 286




    Le 05/29/2008 11:31 PM Mounir IDRASSI a crit :
    > Hi,
    >
    > The only thing I see in your code is that, inside the while block, you are
    > not setting the CA variable to the next element of the list Gl_listeCA.
    > Thus, at the second loop you will always get an error when calling
    > X509_STORE_add_cert because CA->x509 is pointing to the same certificate
    > as in the previous loop.
    > Can you confirm that the code is really like this? Does the working
    > application have the same code?
    >
    > Cheers,
    >


    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread