[openssl-users] Unclear docs -- request clarification on X509_STORE_add_cert
Dave Coombs
dcoombs at carillon.ca
Wed Jan 3 01:10:47 UTC 2018
Hello,
Looking at the code in x509_lu.c, X509_STORE_add_cert() takes ownership of your X509 *cc_cert -- you don't need to (and probably shouldn't) free it.
Cheers,
-Dave
> On Jan 2, 2018, at 19:38, Karl Denninger <karl at denninger.net> wrote:
>
> Assume the following code snippet:
>
> const unsigned char a_cert = {....... }; (A DER certificate we wish to load into the context's chain storage)
> int size_a_cert = sizeof(a_cert);
>
> const unsigned char *cp;
>
> X509 *cc_cert;
> X509_STORE *cc = SSL_CTX_get_cert_store(a_context);
> if (cc == NULL) {
> panic ("Cannot get chain; fail");
> }
> cp = a_cert;
> cc_cert = d2i_X509(NULL, &cp, size_a_cert);
> if (cc_cert == NULL) {
> panic("Cert not valid");
> }
> if (!X509_STORE_add_cert(cc, cc_cert)) { /* Push the cert into the chain store */
> panic ("Cannot add required chain certificate");
> }
> /* X509_free(cc_cert); */
> The question is the last line and whether it should be there (uncommented) -- does the X509_STORE_add_cert call load the *reference* or does it load the *data* (allocating whatever it needs internally to do so)? In other words do I need to keep that X509 structure around that got allocated by the d2i_X509 call or do I free it after I've pushed it into the store?
>
> The docs are silent on this as far as I can tell but some example code I've seen floating around doesn't free it.
> --
> Karl Denninger
> karl at denninger.net <mailto:karl at denninger.net>
> The Market Ticker
> [S/MIME encrypted email preferred]
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180102/094fca50/attachment.html>
More information about the openssl-users
mailing list