How Is The OpenSSL Configuration File Parsed?


I’m trying to understand how OpenSSL parses its configuration file. In the sample configuration file that is installed with OpenSSL v1.1.1g, its seems to be divided into three main sections – the [ ca ] section, the [ req ] section, and the [ tsa ] section (because of the lines that contain ############# ... that separate these sections). Inside the [ ca ] and [ req ] sections there are key/value pairs whose name is a command option and whose value "links" to another section in the configuration file. A good example is the x509_extensions = usr_cert key/value pair in the [ ca ] section.

I am under the impression that the OpenSSL config file is processed by the OpenSSL parser starting at the first line of the file and processing the next line in turn (please correct me if that’s not the case). Therefore, I would expect the [ ca ] section’s x509_extensions = usr_cert to be linked to a section of the config file that occurrs inside the [ ca ] section. But it doesn’t – it links to the [ usr_cert ] section that occurs inside the [ req ] section, which is outside the [ ca ] section.

So, what’s happening when the OpenSSL parser processes the configuration file? Is my visual perception of inside and outside wrong when I read the configuration file? Does the parser "call" the linked section, process its key/value pairs, then return parsing of the config file to the next line in the config file? If this is the case, wouldn’t it make it much easier to understand the structure of the config file if "links" to sections that pertained to the command whose section is being parsed were actually present within the command’s section?