[openssl-users] Unclear docs -- request clarification on X509_STORE_add_cert
Karl Denninger
karl at denninger.net
Wed Jan 3 00:38:56 UTC 2018
Assume the following code snippet:
const unsigned char a_cert = {....... }; (A DER certificate we wish to
load into the context's chain storage)
int size_a_cert = sizeof(a_cert);
const unsigned char *cp;
X509 *cc_cert;
X509_STORE *cc = SSL_CTX_get_cert_store(a_context);
if (cc == NULL) {
panic ("Cannot get chain; fail");
}
cp = a_cert;
cc_cert = d2i_X509(NULL, &cp, size_a_cert);
if (cc_cert == NULL) {
panic("Cert not valid");
}
if (!X509_STORE_add_cert(cc, cc_cert)) { /* Push the cert into
the chain store */
panic ("Cannot add required chain certificate");
}
/* X509_free(cc_cert); */
The question is the last line and whether it should be there
(uncommented) -- does the X509_STORE_add_cert call load the *reference*
or does it load the *data* (allocating whatever it needs internally to
do so)? In other words do I need to keep that X509 structure around
that got allocated by the d2i_X509 call or do I free it after I've
pushed it into the store?
The docs are silent on this as far as I can tell but some example code
I've seen floating around doesn't free it.
--
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180102/00795de5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4897 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180102/00795de5/attachment-0001.bin>
More information about the openssl-users
mailing list