On 2009.10.25 at 19:18:15 -0400, Carl Harris wrote: > True enough, this reduces the code snippet appreciably by eliminating > the rather tedious extension lookup fragment. My issue, of course, was > simply not knowing (and not being able to find any reference that > documents) the data type that would result from the d2i function for > this extension... but this is obviously simpler: > > STACK_OF(DIST_POINT) *dps = X509_get_ext_d2i(cert, > NID_crl_distribution_points, > NULL, NULL); > /* extension not present or some decoding error... bail out */ > } > > assert(sk_DIST_POINT_num(dps) > 0);
It is quite bad idea to use assert here. You are analyzing certificate. External data which are passed to you by some other party, and you at this moment cannot be sure that this party is trusted, because you've not completed validation procedure yet. If somebody would send you certificate without crlDistributionPoints extension (perfectly valid by all other means), your program would crash. This should be runtime error, which can be handled by application, not an assertion. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
