Dumping cached keys in an X509_STORE

Tue, 02 May 2006 13:29:04 -0700 

Dear List,

I've tried to send this message a few times, and I don't think it's gone
through...
here's my problem.  I've got an X509_STORE against which I am verifying some
digital signatures.  I'm using a dynamic engine to perform said verifications. 
During the verification process, some keys get cached _inside_ certs in the
X509_STORE.  At various points in my app, I'd like to free the engine without
freeing the X509_STORE, but those cached keys prevent me from doing so (their
existence causes some references to the engine to be kept around, and so
ENGINE_finish and ENGINE_free won't deallocate the engine).  I am currently
doing the following to find and dump the cached keys, but this feels reaaly
kludgey and wrong, and I'm worring something is going to change out from under
me in a future openssl release and make my code not work.  So, can someone tell
me if the following is ok to do?

void DumpVerifyKeys(X509_STORE *ca_store)
{
        STACK_OF(X509_OBJECT)   *roots                  = NULL;
        int                                             i;
        X509_OBJECT                             *tmp_obj                = NULL;
        X509                                    *current_cert   = NULL;
        char buf[256];
        
        //get the stack of X509 objects out of the X509_STORE
        roots = ca_store->objs;
        
        for(i = 0; i < sk_X509_OBJECT_num(roots); i++) {
                // for each object
                tmp_obj = sk_X509_OBJECT_value(roots, i);
                if (X509_LU_X509 == tmp_obj->type) { // check if it's an X509 
cert (could be a
CRL or a couple other things)
                        current_cert = tmp_obj->data.x509;
                        if (current_cert->cert_info == NULL) // if so, see if 
there's anything cached
in the cert object
                                break;
                        if (current_cert->cert_info->key->pkey != NULL) { // if 
a key's there, free
it
                                printf("freeing key of %s\n",
X509_NAME_oneline(X509_get_subject_name(current_cert), buf, 256));
                                
EVP_PKEY_free(current_cert->cert_info->key->pkey);
                                current_cert->cert_info->key->pkey = NULL;
                        }
                }
        }
}

I feel like a) there's a cleaner way to loop through all certs in an X509_STORE
and b) there's a cleaner way to see if there's a key in there and, if so, get
rid of it.

Thanks!
Chris
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to