Difference between revisions of "How to handle OpenSSL and not get hurt"
| Line 9: | Line 9: | ||
There exists '''X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)''' and '''X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)'''. The difference is that the '''X509_STORE_CTX_get_chain()''' will only return a reference to the certificate chain (type '''STACK_OF (X509) *''') from within the X509_STORE_CTX structure and the '''X509_STORE_CTX_get1_chain()''' will make a duplicate certificate chain that will need to be '''free()''''d. | There exists '''X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)''' and '''X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)'''. The difference is that the '''X509_STORE_CTX_get_chain()''' will only return a reference to the certificate chain (type '''STACK_OF (X509) *''') from within the X509_STORE_CTX structure and the '''X509_STORE_CTX_get1_chain()''' will make a duplicate certificate chain that will need to be '''free()''''d. | ||
| + | |||
Freeing a '''STACK_OF (X509) *''' is not to be done with just '''free()'''. That will create a memory leak. Also a '''X509_free (X509) *''' and using a '''STACK_OF (X509) *''' as input will create a memory leak. The proper way to free a '''STACK_OF (X509) *''' is to use '''sk_X509_pop_free(st, free_func)''', where for '''free_func''' you should use '''X509_free'''. Example: '''sk_X509_pop_free(chain, X509_free)'''. | Freeing a '''STACK_OF (X509) *''' is not to be done with just '''free()'''. That will create a memory leak. Also a '''X509_free (X509) *''' and using a '''STACK_OF (X509) *''' as input will create a memory leak. The proper way to free a '''STACK_OF (X509) *''' is to use '''sk_X509_pop_free(st, free_func)''', where for '''free_func''' you should use '''X509_free'''. Example: '''sk_X509_pop_free(chain, X509_free)'''. | ||
Warning: do not get confused with '''sk_X509_free()''' which will accept the '''STACK_OF (<type>) *''', but does not ''pop'' the stack to free all the individual certificates of the chain (which will be equal to an instant memory leakage for any certificate chain longer then one certificate). | Warning: do not get confused with '''sk_X509_free()''' which will accept the '''STACK_OF (<type>) *''', but does not ''pop'' the stack to free all the individual certificates of the chain (which will be equal to an instant memory leakage for any certificate chain longer then one certificate). | ||
| + | |||
To get the '''issuer DN''' and '''subject DN''' you can use constructions like: | To get the '''issuer DN''' and '''subject DN''' you can use constructions like: | ||
Revision as of 15:45, 30 September 2009
Stuff you wished to know before you every needed to touch the OpenSSL library
On the web OpenSSL is poorly documented and even the book Network Security with OpenSSL doesn't touch the advanced inner workings of the library. There are more gems in the documentation of the OpenSSL source tarballs.
Use the source! When you're looking for anything particular or specialized and you really wish to know how OpenSSL is handling this: Use the Source!
What does that library call really do?
There exists X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) and X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx). The difference is that the X509_STORE_CTX_get_chain() will only return a reference to the certificate chain (type STACK_OF (X509) *) from within the X509_STORE_CTX structure and the X509_STORE_CTX_get1_chain() will make a duplicate certificate chain that will need to be free()'d.
Freeing a STACK_OF (X509) * is not to be done with just free(). That will create a memory leak. Also a X509_free (X509) * and using a STACK_OF (X509) * as input will create a memory leak. The proper way to free a STACK_OF (X509) * is to use sk_X509_pop_free(st, free_func), where for free_func you should use X509_free. Example: sk_X509_pop_free(chain, X509_free).
Warning: do not get confused with sk_X509_free() which will accept the STACK_OF (<type>) *, but does not pop the stack to free all the individual certificates of the chain (which will be equal to an instant memory leakage for any certificate chain longer then one certificate).
To get the issuer DN and subject DN you can use constructions like:
char * cert_DN = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0); char * issuer_DN = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0);
or
char cert_DN[255]; char issuer_DN[255]; X509_NAME_oneline (X509_get_subject_name (cert), cert_DN, 255); X509_NAME_oneline (X509_get_issuer_name (cert), issuer_DN, 255);
In the first construction you'll need to free both the cert_DN and the issuer_DN. In the second example a static buffer is used and filled by the X509_NAME_oneline() routines.
