On Tue, May 18, 2010, Martin Kaiser wrote: > Hello Steve, all, > > Thus wrote Stephen Henson via RT ([email protected]): > > > OpenSSL doesn't claim binary compatibility across major version changes: > > in general recompiling source against different major versions is > > recommended. > > > Accessing structures directly should be avoided in applications if at > > all possible for the reasons you mention above. If an application > > instead of (say) accessing pkey->pkey.rsa used the function > > EVP_PKEY_get1_RSA() it would still be compatible. > > what about a scenario like this where I get an rsa pubkey from a > certificate and add the private components myself: > > X509 *x; > EVP_PKEY *e; > > e = X509_get_pubkey(x); > e->pkey.rsa->d = BN_bin2bn(mySecretD, LEN_OF_MY_D, NULL); > ... (add other components and do some calculations using e) > EVP_PKEY_free(e); > > > My understanding is that EVP_PKEY_get1_RSA() increases the reference > count of the RSA object. I guess that > > RSA *r = EVP_PKEY_get1_RSA(e); > r->d = BN_bin2bn(mySecretD, LEN_OF_MY_D, NULL); > > would not work. EVP_PKEY_free(e) would not free e->pkey.rsa since its > reference count is 2. Should I explicitly RSA_free(r) or is there a > cleaner and portable way of doing this instead of directly accessing the > structure? >
Setting key components manually is one of the exceptions where you currently can't avoid accessing structures directly. That will be addressed at some point with appropriate APIs but that wont help existing applications of course. Yes you should call EVP_PKEY_get1_RSA() and add an explicit RSA_free() to lower the reference count again. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
