Somehow I missed the response. Good, that there are archives:
> Those examples need updating. Use of X509_NAME_oneline() has been discouraged > for some time. Yes, seems so, Any other function that takes a NULL X509* may also have a problem. My question was simply to confirm that a NULL pointer *can* happen. > While this is true it wont happen unless you explicitly set policy checking > along with some additional flags. If an application does set the extra flags > it is expected to understand the implications in the callback. Yes. If they are documented :-) > One case is when you set a flag to require an explicit policy but there is > none in the chain. In that case the error isn't tied to one particular > certificate but the chain itself. > The other case is when you set a flag to notify that policy checking has > succeeded. Again this means the whole chain is OK and not indicating anything > right/wrong with a particular certificate. That is what I figured out. I am not asking for a change, here a kind of devil's advocate argument: Leaving the pointer unchanged (i.e. the end entity) would that hurt much? One could still interprete: "no policy related to the chain that ends with the cert ..." and "The chain for cert xxx is valid and we have policy yyy". At least in case of the missing explicit policy error, a callback may want to log something of the chain. > Steve. Anyway, thanks for the answer. /P ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
