Oleg Andriyanov Oleg Andriyanov - 1 month ago 9
C Question

Is it safe to share single X509_STORE between multiple threads for verifying certificate?

Use case: I want connections to be accepted and served in a network thread and delegate all certificate checking to another thread (or even thread pool). CA for all certificates to be checked is stored in a single

X509_STORE
. Basically, when certificate is received from a client, I create new
X509_STORE_CTX
, initialize it with a single (say, global)
X509_STORE
, and feed a worker thread with a checking routine which calls
X509_verify_cert
.

The question is, does this kind of thread-sharing of
X509_STORE
need any external locking provided by an application?

Particularly, I'm worried because
X509_STORE_CTX_init
takes a non-const pointer of my
X509_STORE
. Probably, this is because this function modifies reference counters inside the store, which is thread-safe provided that locking callbacks are set during initialization of the library. There should be no other non-const access to the store, right?

jww jww
Answer

Is it safe to share single X509_STORE between multiple threads for verifying certificate?

Yes, but with strings attached. The Yes is because OpenSSL provides locks for the store:

openssl-1.0.2h$ grep -IR CRYPTO_LOCK * | grep STORE
crypto/crypto.h:# define CRYPTO_LOCK_X509_STORE          11
crypto/crypto.h:# define CRYPTO_LOCK_STORE               37
crypto/x509/by_dir.c:            CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
crypto/x509/by_dir.c:            CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
crypto/x509/by_dir.c:        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
crypto/x509/by_dir.c:        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
...

However, the "strings attached" is you need to manually install the locks, which can be non-trivial. Also see:

Comments