Hi Openssl developers,
Recent modification to X509... structures prevent external
implementation of X509_LOOKUP_METHOD.
Main issue that 1.1beta5 is not usable. A lot of X509... structures are
now opaque, but there is no access neither memory management functions.
I hop that soon will be provided API for X509_LOOKUP_METHOD and etc.,
and then we could discuss corresponding API.
This email is only for X509_OBJECT as the primary subject is use of
lookup methods.
1) X509_STORE_get_X509_by_subject
The new function is with argument type and return X509_OBJECT. If is
called with X509_LU_CRL returned X509_OBJECT will contain X509_CRL.
So the question is why to use this new method instead existing
X509_STORE_get_by_subject?
What about to declare method as:
X509* X509_STORE_get_X509_by_subject(X509_STORE_CTX *vs,
X509_NAME *name)
and to declare another method as:
X509_CRL* X509_STORE_get_X509_CRL_by_subject(X509_STORE_CTX *vs,
X509_NAME *name)
Definition could use internally X509_OBJECT with corresponding search type.
2) X509_OBJECT allocation.
Function X509_STORE_get_by_subject require pointer to allocated
X509_OBJECT. This and implementation of X509_LOOKUP_METHOD require
X509_OBJECT allocation method.
Unfortunately X509_OBJECT_new is not defined in 1.1beta5.
3) release of X509_OBJECT content.
X509_OBJECT_free is a new function that call X509_OBJECT_free_contents.
Unfortunately public function X509_OBJECT_free_contents release content
but does not change content type nor clear (zero) content.
If program code call X509_OBJECT_free_contents and then at some point
call X509_OBJECT_free double free error occur.
It seems to me current OpenSSL code is not impacted as functions like
X509_STORE_add_.... does not use X509_OBJECT_free
X509_OBJECT_free_contents(obj);
OPENSSL_free(obj);
If function X509_OBJECT_free_contents remain public please ensure that
double free will not occur.
It seems to me change of content type to X509_LU_RETRY will prevent
double free.
4) access to X509_OBJECT content.
Current API provide access to certificate content but lack for access to
revocation list content.
Function X509_OBJECT_get0_X509 returns always certificate if argument is
not null. This does not look correct.
The function must return X.509 certificate only if argument is not null
and content type is for certificate.
For instance
X509 *X509_OBJECT_get0_X509(X509_OBJECT *a)
{
return a != NULL && a->type == X509_LU_X509 ? a->data.x509 : NULL;
}
Please define content access function for revocation list:
X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a)
I'm concerned that according plan next release is final one.
Roumen
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
