openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

Use the new ASN.1 libctx aware capabilities in CMP 

Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
This commit is contained in:
Matt Caswell 2021-05-26 17:18:13 +01:00 committed by Pauli
parent 5dca2afca3
commit c631378058
11 changed files with 153 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/cmp.c
View File

@ -729,7 +729,7 @@ static OSSL_CMP_MSG *read_PKIMESSAGE(char **filenames)
file = *filenames;
*filenames = next_item(file);
ret = OSSL_CMP_MSG_read(file);
ret = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq());
if (ret == NULL)
CMP_err1("cannot read PKIMessage from file '%s'", file);
return ret;

30
crypto/cmp/cmp_asn.c
View File

@ -208,6 +208,31 @@ int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
return (int)res;
}
static int ossl_cmp_msg_cb(int operation, ASN1_VALUE **pval,
const ASN1_ITEM *it, void *exarg)
{
OSSL_CMP_MSG *ret = (OSSL_CMP_MSG *)*pval;
switch (operation) {
case ASN1_OP_FREE_POST:
OPENSSL_free(ret->propq);
break;
case ASN1_OP_DUP_POST:
{
OSSL_CMP_MSG *old = exarg;
if (!ossl_cmp_msg_set0_libctx(ret, old->libctx, old->propq))
return 0;
}
break;
default:
break;
}
return 1;
}
ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
/* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
@ -405,14 +430,13 @@ ASN1_SEQUENCE(OSSL_CMP_PROTECTEDPART) = {
} ASN1_SEQUENCE_END(OSSL_CMP_PROTECTEDPART)
IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
ASN1_SEQUENCE(OSSL_CMP_MSG) = {
ASN1_SEQUENCE_cb(OSSL_CMP_MSG, ossl_cmp_msg_cb) = {
ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
/* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
} ASN1_SEQUENCE_END(OSSL_CMP_MSG)
IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_MSG)
} ASN1_SEQUENCE_END_cb(OSSL_CMP_MSG, OSSL_CMP_MSG)
IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =

7
crypto/cmp/cmp_local.h
View File

@ -670,8 +670,11 @@ struct ossl_cmp_msg_st {
ASN1_BIT_STRING *protection; /* 0 */
/* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
STACK_OF(X509) *extraCerts; /* 1 */
OSSL_LIB_CTX *libctx;
char *propq;
} /* OSSL_CMP_MSG */;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq);
void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
/*-
* ProtectedPart ::= SEQUENCE {
@ -852,6 +855,8 @@ int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
# define OSSL_CMP_CERTREQID 0
/* sequence id for the first - and so far only - revocation request */
# define OSSL_CMP_REVREQSID 0
int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
const char *propq);
const char *ossl_cmp_bodytype_to_string(int type);
int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type);
int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg);

92
crypto/cmp/cmp_msg.c
View File

@ -20,6 +20,46 @@
#include <openssl/err.h>
#include <openssl/x509.h>
OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq)
{
OSSL_CMP_MSG *msg = NULL;
msg = (OSSL_CMP_MSG *)ASN1_item_new_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG),
libctx, propq);
if (!ossl_cmp_msg_set0_libctx(msg, libctx, propq)) {
OSSL_CMP_MSG_free(msg);
msg = NULL;
}
return msg;
}
void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg)
{
ASN1_item_free((ASN1_VALUE *)msg, ASN1_ITEM_rptr(OSSL_CMP_MSG));
}
/*
* This should only be used if the X509 object was embedded inside another
* asn1 object and it needs a libctx to operate.
* Use OSSL_CMP_MSG_new() instead if possible.
*/
int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
const char *propq)
{
if (msg != NULL) {
msg->libctx = libctx;
OPENSSL_free(msg->propq);
msg->propq = NULL;
if (propq != NULL) {
msg->propq = OPENSSL_strdup(propq);
if (msg->propq == NULL)
return 0;
}
}
return 1;
}
OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
{
if (msg == NULL) {
@ -125,7 +165,7 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
if (!ossl_assert(ctx != NULL))
return NULL;
if ((msg = OSSL_CMP_MSG_new()) == NULL)
if ((msg = OSSL_CMP_MSG_new(ctx->libctx, ctx->propq)) == NULL)
return NULL;
if (!ossl_cmp_hdr_init(ctx, msg->header)
|| !ossl_cmp_msg_set_bodytype(msg, bodytype))
@ -1031,9 +1071,10 @@ int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
|| ossl_cmp_msg_protect(ctx, msg);
}
OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file)
OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
const char *propq)
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_MSG *msg;
BIO *bio = NULL;
if (file == NULL) {
@ -1041,9 +1082,18 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file)
return NULL;
}
msg = OSSL_CMP_MSG_new(libctx, propq);
if (msg == NULL){
ERR_raise(ERR_LIB_CMP, ERR_R_MALLOC_FAILURE);
return NULL;
}
if ((bio = BIO_new_file(file, "rb")) == NULL)
return NULL;
msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
if (d2i_OSSL_CMP_MSG_bio(bio, &msg) == NULL) {
OSSL_CMP_MSG_free(msg);
msg = NULL;
}
BIO_free(bio);
return msg;
}
@ -1066,10 +1116,40 @@ int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
return res;
}
OSSL_CMP_MSG *d2i_OSSL_CMP_MSG(OSSL_CMP_MSG **msg, const unsigned char **in,
long len)
{
OSSL_LIB_CTX *libctx = NULL;
const char *propq = NULL;
if (msg != NULL && *msg != NULL) {
libctx = (*msg)->libctx;
propq = (*msg)->propq;
}
return (OSSL_CMP_MSG *)ASN1_item_d2i_ex((ASN1_VALUE **)msg, in, len,
ASN1_ITEM_rptr(OSSL_CMP_MSG),
libctx, propq);
}
int i2d_OSSL_CMP_MSG(const OSSL_CMP_MSG *msg, unsigned char **out)
{
return ASN1_item_i2d((const ASN1_VALUE *)msg, out,
ASN1_ITEM_rptr(OSSL_CMP_MSG));
}
OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
{
return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
d2i_OSSL_CMP_MSG, bio, msg);
OSSL_LIB_CTX *libctx = NULL;
const char *propq = NULL;
if (msg != NULL && *msg != NULL) {
libctx = (*msg)->libctx;
propq = (*msg)->propq;
}
return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG), bio, msg, libctx,
propq);
}
int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)

14
crypto/x509/x_pubkey.c
View File

@ -104,17 +104,18 @@ static int x509_pubkey_ex_new_ex(ASN1_VALUE **pval, const ASN1_ITEM *it,
return ret != NULL;
}
static int x509_pubkey_ex_d2i(ASN1_VALUE **pval,
const unsigned char **in, long len,
const ASN1_ITEM *it, int tag, int aclass,
char opt, ASN1_TLC *ctx)
static int x509_pubkey_ex_d2i_ex(ASN1_VALUE **pval,
const unsigned char **in, long len,
const ASN1_ITEM *it, int tag, int aclass,
char opt, ASN1_TLC *ctx, OSSL_LIB_CTX *libctx,
const char *propq)
{
const unsigned char *in_saved = *in;
X509_PUBKEY *pubkey;
int ret;
OSSL_DECODER_CTX *dctx = NULL;
if (*pval == NULL && !x509_pubkey_ex_new_ex(pval, it, NULL, NULL))
if (*pval == NULL && !x509_pubkey_ex_new_ex(pval, it, libctx, propq))
return 0;
if (!x509_pubkey_ex_populate(pval, NULL)) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
@ -197,10 +198,11 @@ static const ASN1_EXTERN_FUNCS x509_pubkey_ff = {
NULL,
x509_pubkey_ex_free,
0, /* Default clear behaviour is OK */
x509_pubkey_ex_d2i,
NULL,
x509_pubkey_ex_i2d,
x509_pubkey_ex_print,
x509_pubkey_ex_new_ex,
x509_pubkey_ex_d2i_ex,
};
IMPLEMENT_EXTERN_ASN1(X509_PUBKEY, V_ASN1_SEQUENCE, x509_pubkey_ff)

3
include/openssl/cmp.h.in
View File

@ -380,7 +380,8 @@ ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr);
OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg);
int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid);
OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file);
OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
const char *propq);
int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg);
OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg);
int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg);

10
test/cmp_protect_test.c
View File

@ -143,7 +143,7 @@ static int execute_calc_protection_signature_test(CMP_PROTECT_TEST_FIXTURE *
static int test_cmp_calc_protection_no_key_no_secret(void)
{
SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f, libctx))
|| !TEST_ptr(fixture->msg->header->protectionAlg =
X509_ALGOR_new() /* no specific alg needed here */)) {
tear_down(fixture);
@ -159,7 +159,7 @@ static int test_cmp_calc_protection_pkey(void)
SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
fixture->pubkey = loadedpubkey;
if (!TEST_true(OSSL_CMP_CTX_set1_pkey(fixture->cmp_ctx, loadedprivkey))
|| !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))) {
|| !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))) {
tear_down(fixture);
fixture = NULL;
}
@ -174,7 +174,7 @@ static int test_cmp_calc_protection_pbmac(void)
SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx,
sec_insta, sizeof(sec_insta)))
|| !TEST_ptr(fixture->msg = load_pkimsg(ip_PBM_f))) {
|| !TEST_ptr(fixture->msg = load_pkimsg(ip_PBM_f, libctx))) {
tear_down(fixture);
fixture = NULL;
}
@ -577,8 +577,8 @@ int setup_tests(void)
return 0;
if (TEST_true(EVP_PKEY_up_ref(loadedprivkey)))
loadedpubkey = loadedprivkey;
if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f))
|| !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)))
if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f, libctx))
|| !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx)))
return 0;
if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx))
|| !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx))

2
test/cmp_server_test.c
View File

@ -148,7 +148,7 @@ int setup_tests(void)
if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 1, USAGE))
return 0;
if (!TEST_ptr(request = load_pkimsg(request_f))) {
if (!TEST_ptr(request = load_pkimsg(request_f, libctx))) {
cleanup_tests();
return 0;
}

28
test/cmp_vfy_test.c
View File

@ -91,7 +91,7 @@ static int flip_bit(ASN1_BIT_STRING *bitstr)
static int execute_verify_popo_test(CMP_VFY_TEST_FIXTURE *fixture)
{
if ((fixture->msg = load_pkimsg(ir_protected_f)) == NULL)
if ((fixture->msg = load_pkimsg(ir_protected_f, libctx)) == NULL)
return 0;
if (fixture->expected == 0) {
const OSSL_CRMF_MSGS *reqs = fixture->msg->body->value.ir;
@ -153,7 +153,7 @@ static int test_validate_msg_mac_alg_protection(void)
fixture->expected = 1;
if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1,
sizeof(sec_1)))
|| !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) {
|| !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f, libctx))) {
tear_down(fixture);
fixture = NULL;
}
@ -174,7 +174,7 @@ static int test_validate_msg_mac_alg_protection_bad(void)
if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad,
sizeof(sec_bad)))
|| !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) {
|| !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f, libctx))) {
tear_down(fixture);
fixture = NULL;
}
@ -203,7 +203,7 @@ static int test_validate_msg_signature_partial_chain(int expired)
ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx);
fixture->expected = !expired;
if (ts == NULL
|| !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
|| !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))
|| !add_trusted(fixture->cmp_ctx, srvcert)) {
tear_down(fixture);
fixture = NULL;
@ -233,7 +233,7 @@ static int test_validate_msg_signature_srvcert_wrong(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = 0;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))
|| !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, clcert))) {
tear_down(fixture);
fixture = NULL;
@ -246,7 +246,7 @@ static int test_validate_msg_signature_srvcert(int bad_sig)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = !bad_sig;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))
|| !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))
|| (bad_sig && !flip_bit(fixture->msg->protection))) {
tear_down(fixture);
@ -272,7 +272,7 @@ static int test_validate_msg_signature_sender_cert_untrusted(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = 1;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx))
|| !add_trusted(fixture->cmp_ctx, instaca_cert)
|| !add_untrusted(fixture->cmp_ctx, insta_cert)) {
tear_down(fixture);
@ -286,7 +286,7 @@ static int test_validate_msg_signature_sender_cert_trusted(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = 1;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx))
|| !add_trusted(fixture->cmp_ctx, instaca_cert)
|| !add_trusted(fixture->cmp_ctx, insta_cert)) {
tear_down(fixture);
@ -300,7 +300,7 @@ static int test_validate_msg_signature_sender_cert_extracert(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = 1;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_2_extracerts))
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_2_extracerts, libctx))
|| !add_trusted(fixture->cmp_ctx, instaca_cert)) {
tear_down(fixture);
fixture = NULL;
@ -315,7 +315,7 @@ static int test_validate_msg_signature_sender_cert_absent(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = 0;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))) {
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx))) {
tear_down(fixture);
fixture = NULL;
}
@ -328,7 +328,7 @@ static int test_validate_with_sender(const X509_NAME *name, int expected)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = expected;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f))
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx))
|| !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name))
|| !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))) {
tear_down(fixture);
@ -353,7 +353,7 @@ static int test_validate_msg_unprotected_request(void)
{
SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up);
fixture->expected = 0;
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))) {
if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f, libctx))) {
tear_down(fixture);
fixture = NULL;
}
@ -620,8 +620,8 @@ int setup_tests(void)
goto err;
if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
goto err;
if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f))
|| !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f)))
if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx))
|| !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f, libctx)))
goto err;
/* Message validation tests */

4
test/helpers/cmp_testlib.c
View File

@ -12,11 +12,11 @@
#include "cmp_testlib.h"
#include <openssl/rsa.h> /* needed in case config no-deprecated */
OSSL_CMP_MSG *load_pkimsg(const char *file)
OSSL_CMP_MSG *load_pkimsg(const char *file, OSSL_LIB_CTX *libctx)
{
OSSL_CMP_MSG *msg;
(void)TEST_ptr((msg = OSSL_CMP_MSG_read(file)));
(void)TEST_ptr((msg = OSSL_CMP_MSG_read(file, libctx, NULL)));
return msg;
}

2
test/helpers/cmp_testlib.h
View File

@ -21,7 +21,7 @@
# ifndef OPENSSL_NO_CMP
# define CMP_TEST_REFVALUE_LENGTH 15 /* arbitrary value */
OSSL_CMP_MSG *load_pkimsg(const char *file);
OSSL_CMP_MSG *load_pkimsg(const char *file, OSSL_LIB_CTX *libctx);
int valid_asn1_encoding(const OSSL_CMP_MSG *msg);
int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2);
int STACK_OF_X509_push1(STACK_OF(X509) *sk, X509 *cert);