On Fri, 2010-05-07 at 23:37 +0200, Dr. Stephen Henson wrote: > > > If you pass a NULL for the final argument in PKCS12_parse() extra CA > certificates are ignored as it has nowhere to put them. > > If you pass a pointer to a NULL STACK_OF(X509) i.e do: > > STACK_OF(X509) *ca = NULL; > > and pass &ca it will allocate a stack and put the extra certs in ca.
Ah yes, sorry -- of course. So what happens in 1.0.0-beta2 and later is that when the error happens, the stack pointed to by *ca (if any) is freed and *ca is set to NULL. Next time round the loop, the behaviour you describe kicks in, and everything works fine (for me). A new stack is allocated and the certificates are added to it. Although that's OK for my purposes, I think it's actually a bug. The man page for PKCS12_parse() says that *ca can be a valid stack, in which case additional certificates are appended to *ca. It _doesn't_ say "oh, but if parsing fails because the user fat-fingered the passphrase, we'll completely free your carefully pre-generated stack in *ca and set *ca to NULL" Surely it shouldn't be freeing the _original_ contents of the stack which was passed in *ca? Those should be preserved. In older versions of OpenSSL (<1.0.0-beta2), the failure mode is actually "... we'll free your carefully pre-generated stack in *ca but for extra fun, we leave *ca pointing to the now-freed memory". Which is the bug that I tripped over. -- dwmw2 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
