[openssl-dev] use of X.509 lookup methods, X509_OBJECT internal or opaque?

Roumen Petrov openssl at roumenpetrov.info
Sat Apr 23 14:56:37 UTC 2016 

Hi Openssl developers,

Recent modification to X509... structures prevent external 
implementation of X509_LOOKUP_METHOD.
Main issue that 1.1beta5 is not usable. A lot of X509... structures are 
now opaque, but there is no access neither memory management functions.
I hop that soon will be provided API for X509_LOOKUP_METHOD and etc., 
and then we could discuss corresponding API.


This email is only for X509_OBJECT as the primary subject is use of 
lookup methods.

1) X509_STORE_get_X509_by_subject
The new function is with argument type and return X509_OBJECT. If is 
called with X509_LU_CRL returned X509_OBJECT will contain X509_CRL.
So the question is why to use this new method instead existing 
X509_STORE_get_by_subject?

What about to declare method as:
   X509*      X509_STORE_get_X509_by_subject(X509_STORE_CTX *vs, 
X509_NAME *name)
and to declare another method as:
    X509_CRL* X509_STORE_get_X509_CRL_by_subject(X509_STORE_CTX *vs, 
X509_NAME *name)

Definition could use internally X509_OBJECT with corresponding search type.


2) X509_OBJECT allocation.
Function X509_STORE_get_by_subject require pointer to allocated 
X509_OBJECT. This and implementation of X509_LOOKUP_METHOD require 
X509_OBJECT allocation method.
Unfortunately X509_OBJECT_new is not defined in 1.1beta5.


3) release of X509_OBJECT content.
X509_OBJECT_free is a new function that call X509_OBJECT_free_contents.
Unfortunately public function X509_OBJECT_free_contents release content 
but does not change content type nor clear (zero) content.
If program code call X509_OBJECT_free_contents and then at some point 
call X509_OBJECT_free double free error occur.

It seems to me current OpenSSL code is not impacted as functions like 
X509_STORE_add_.... does not use X509_OBJECT_free
         X509_OBJECT_free_contents(obj);
         OPENSSL_free(obj);

If function X509_OBJECT_free_contents remain public please ensure that 
double free will not occur.
It seems to me change of content type to X509_LU_RETRY will prevent 
double free.


4)  access to X509_OBJECT content.
Current API provide access to certificate content but lack for access to 
revocation list content.
Function X509_OBJECT_get0_X509 returns always certificate if argument is 
not null. This does not look correct.
The function must return X.509 certificate only if argument is not null 
and content type is for certificate.
For instance
X509 *X509_OBJECT_get0_X509(X509_OBJECT *a)
{
      return a != NULL && a->type == X509_LU_X509 ? a->data.x509 : NULL;
}

Please define content access function for revocation list:
X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a)



I'm concerned that according plan next release is final one.

Roumen

More information about the openssl-dev mailing list