[openssl-dev] use of X.509 lookup methods, X509_OBJECT internal or opaque?

Roumen Petrov openssl at roumenpetrov.info
Sat May 7 08:30:56 UTC 2016 

Hi Rich,

Scope of my request is "use of a lookup method".

Salz, Rich wrote:
>> You need
(1)
I test port to current openssl code with following definitions 
X509_OBJECT_new() and X509_OBJECT_get0_X509_CRL.  :
....
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index ff64821..8547b0d 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -450,6 +450,12 @@ int X509_OBJECT_get_type(X509_OBJECT *a)
      return a->type;
  }

+X509_OBJECT *X509_OBJECT_new()
+{
+    X509_OBJECT *ret;
+    return OPENSSL_malloc(sizeof (*ret));
+}
+
  void X509_OBJECT_free(X509_OBJECT *a)
  {
      if (a == NULL)
....
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index c4ca619..ff64821 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -433,9 +433,18 @@ void X509_OBJECT_up_ref_count(X509_OBJECT *a)

  X509 *X509_OBJECT_get0_X509(X509_OBJECT *a)
  {
+    if (a == NULL) return NULL;
+    if (a->type != X509_LU_X509) return NULL;
      return a->data.x509;
  }

+X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a)
+{
+    if (a == NULL) return NULL;
+    if (a->type != X509_LU_CRL) return NULL;
+    return a->data.crl;
+}
+
  int X509_OBJECT_get_type(X509_OBJECT *a)
  {
      return a->type;
....

After port I note that two new functions (see bellow) will simplify code:

(2)
>>      X509 *X509_STORE_get_X509_by_subject(X509_STORE_CTX *vs,
>> X509_NAME *name)
>>      X509_CRL *X509_STORE_get_X509_CRL_by_subject(X509_STORE_CTX *vs,
>> X509_NAME *name) And replace the existing
>> "X509_STORE_get_X509_by_subject"

This is my request - to define:
- X509 *X509_STORE_get_X509_by_subject(X509_STORE_CTX *vs, X509_NAME *name)
- X509_CRL *X509_STORE_get_X509_CRL_by_subject(X509_STORE_CTX *vs, 
X509_NAME *name)
( Side effect is that with functions from (2) program code will avoid 
use of functions from (1) )


>> We also need X590_OBJECT_new() and X509_OBJECT_free and X509_CRL
>> *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a).
It is good to have:
- X590_OBJECT_new()
- X509_CRL* X509_OBJECT_get0_X509_CRL(X509_OBJECT *)
- int X509_OBJECT_set0_X509_CRL(X509_OBJECT*, X509_CRL*)
- int X509_OBJECT_set0_X509(X509_OBJECT*, X509* )
but this is out of scope for now.

It is related to API for X509_LOOKUP_METHOD. Lets to discuss separately 
when accessors for X509_LOOKUP_METHOD are defined.

>> Make sure the memory issues are addressed and avoid double-free.
>>
>> Right?
> "You need" is misleading.  These are new accessors needed  because the X509_OBJECT was made opaque.  In other words we did it :)

Regards,
Roumen

More information about the openssl-dev mailing list