[openssl-users] Unclear docs -- request clarification on X509_STORE_add_cert

Dave Coombs dcoombs at carillon.ca
Wed Jan 3 01:10:47 UTC 2018


Hello,

Looking at the code in x509_lu.c, X509_STORE_add_cert() takes ownership of your X509 *cc_cert -- you don't need to (and probably shouldn't) free it.

Cheers,
  -Dave


> On Jan 2, 2018, at 19:38, Karl Denninger <karl at denninger.net> wrote:
> 
> Assume the following code snippet:
> 
> const unsigned char a_cert = {....... }; (A DER certificate we wish to load into the context's chain storage)
> int size_a_cert = sizeof(a_cert);
> 
> const unsigned char *cp;
> 
> X509 *cc_cert;
> X509_STORE *cc = SSL_CTX_get_cert_store(a_context);
> if (cc == NULL) {
>     panic ("Cannot get chain; fail");
> }
> cp = a_cert;
> cc_cert = d2i_X509(NULL, &cp, size_a_cert);
> if (cc_cert == NULL) {
>       panic("Cert not valid");
> }
> if (!X509_STORE_add_cert(cc, cc_cert)) {        /* Push the cert into the chain store */
>      panic ("Cannot add required chain certificate");
> }
> /*  X509_free(cc_cert); */
> The question is the last line and whether it should be there (uncommented) -- does the X509_STORE_add_cert call load the *reference* or does it load the *data* (allocating whatever it       needs internally to do so)?  In other words do I need to keep that X509 structure around that got allocated by the d2i_X509 call or do I free it after I've pushed it into the store?
> 
> The docs are silent on this as far as I can tell but some example code I've seen floating around doesn't free it.
> -- 
> Karl Denninger
> karl at denninger.net <mailto:karl at denninger.net>
> The Market Ticker
> [S/MIME encrypted email preferred]
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180102/094fca50/attachment.html>


More information about the openssl-users mailing list