openssl 3.2.4 → 3.3.0

data/ext/openssl/ossl_x509attr.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -28,7 +28,7 @@
  * Classes
  */
 VALUE cX509Attr;
-VALUE eX509AttrError;
+static VALUE eX509AttrError;
 
 static void
 ossl_x509attr_free(void *ptr)
@@ -48,7 +48,7 @@ static const rb_data_type_t ossl_x509attr_type = {
  * Public
  */
 VALUE
-ossl_x509attr_new(const X509_ATTRIBUTE *attr)
+ossl_x509attr_new(X509_ATTRIBUTE *attr)
 {
     X509_ATTRIBUTE *new;
     VALUE obj;
@@ -57,8 +57,7 @@ ossl_x509attr_new(const X509_ATTRIBUTE *attr)
     if (!attr) {
 	new = X509_ATTRIBUTE_new();
     } else {
-	/* OpenSSL 1.1.1 takes a non-const pointer */
-	new = X509_ATTRIBUTE_dup((X509_ATTRIBUTE *)attr);
+	new = X509_ATTRIBUTE_dup(attr);
     }
     if (!new) {
 	ossl_raise(eX509AttrError, NULL);
@@ -175,7 +174,7 @@ static VALUE
 ossl_x509attr_get_oid(VALUE self)
 {
     X509_ATTRIBUTE *attr;
-    const ASN1_OBJECT *oid;
+    ASN1_OBJECT *oid;
     BIO *out;
     VALUE ret;
     int nid;
@@ -187,7 +186,7 @@ ossl_x509attr_get_oid(VALUE self)
     else{
 	if (!(out = BIO_new(BIO_s_mem())))
 	    ossl_raise(eX509AttrError, NULL);
-	i2a_ASN1_OBJECT(out, (ASN1_OBJECT *)oid);
+	i2a_ASN1_OBJECT(out, oid);
 	ret = ossl_membio2str(out);
     }
 
@@ -202,37 +201,36 @@ static VALUE
 ossl_x509attr_set_value(VALUE self, VALUE value)
 {
     X509_ATTRIBUTE *attr;
-    VALUE asn1_value;
-    int i, asn1_tag;
+    GetX509Attr(self, attr);
 
     OSSL_Check_Kind(value, cASN1Data);
-    asn1_tag = NUM2INT(rb_attr_get(value, rb_intern("@tag")));
-    asn1_value = rb_attr_get(value, rb_intern("@value"));
-    if (asn1_tag != V_ASN1_SET)
-	ossl_raise(eASN1Error, "argument must be ASN1::Set");
-    if (!RB_TYPE_P(asn1_value, T_ARRAY))
-	ossl_raise(eASN1Error, "ASN1::Set has non-array value");
+    VALUE der = ossl_to_der(value);
+    const unsigned char *p = (const unsigned char *)RSTRING_PTR(der);
+    STACK_OF(ASN1_TYPE) *sk = d2i_ASN1_SET_ANY(NULL, &p, RSTRING_LEN(der));
+    if (!sk)
+        ossl_raise(eX509AttrError, "attribute value must be ASN1::Set");
 
-    GetX509Attr(self, attr);
     if (X509_ATTRIBUTE_count(attr)) { /* populated, reset first */
-	const ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
-	X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1);
-	if (!new_attr)
-	    ossl_raise(eX509AttrError, NULL);
-	SetX509Attr(self, new_attr);
-	X509_ATTRIBUTE_free(attr);
-	attr = new_attr;
+        ASN1_OBJECT *obj = X509_ATTRIBUTE_get0_object(attr);
+        X509_ATTRIBUTE *new_attr = X509_ATTRIBUTE_create_by_OBJ(NULL, obj, 0, NULL, -1);
+        if (!new_attr) {
+            sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
+            ossl_raise(eX509AttrError, "X509_ATTRIBUTE_create_by_OBJ");
+        }
+        SetX509Attr(self, new_attr);
+        X509_ATTRIBUTE_free(attr);
+        attr = new_attr;
     }
 
-    for (i = 0; i < RARRAY_LEN(asn1_value); i++) {
-	ASN1_TYPE *a1type = ossl_asn1_get_asn1type(RARRAY_AREF(asn1_value, i));
-	if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type),
-				      a1type->value.ptr, -1)) {
-	    ASN1_TYPE_free(a1type);
-	    ossl_raise(eX509AttrError, NULL);
-	}
-	ASN1_TYPE_free(a1type);
+    for (int i = 0; i < sk_ASN1_TYPE_num(sk); i++) {
+        ASN1_TYPE *a1type = sk_ASN1_TYPE_value(sk, i);
+        if (!X509_ATTRIBUTE_set1_data(attr, ASN1_TYPE_get(a1type),
+                                      a1type->value.ptr, -1)) {
+            sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
+            ossl_raise(eX509AttrError, "X509_ATTRIBUTE_set1_data");
+        }
     }
+    sk_ASN1_TYPE_pop_free(sk, ASN1_TYPE_free);
 
     return value;
 }
@@ -257,7 +255,7 @@ ossl_x509attr_get_value(VALUE self)
 
     count = X509_ATTRIBUTE_count(attr);
     for (i = 0; i < count; i++)
-        sk_ASN1_TYPE_push(sk, (ASN1_TYPE *)X509_ATTRIBUTE_get0_type(attr, i));
+	sk_ASN1_TYPE_push(sk, X509_ATTRIBUTE_get0_type(attr, i));
 
     if ((len = i2d_ASN1_SET_ANY(sk, NULL)) <= 0) {
 	sk_ASN1_TYPE_free(sk);

data/ext/openssl/ossl_x509cert.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -28,7 +28,7 @@
  * Classes
  */
 VALUE cX509Cert;
-VALUE eX509CertError;
+static VALUE eX509CertError;
 
 static void
 ossl_x509_free(void *ptr)
@@ -48,7 +48,7 @@ static const rb_data_type_t ossl_x509_type = {
  * Public
  */
 VALUE
-ossl_x509_new(const X509 *x509)
+ossl_x509_new(X509 *x509)
 {
     X509 *new;
     VALUE obj;
@@ -57,8 +57,7 @@ ossl_x509_new(const X509 *x509)
     if (!x509) {
 	new = X509_new();
     } else {
-	/* OpenSSL 1.1.1 takes a non-const pointer */
-	new = X509_dup((X509 *)x509);
+	new = X509_dup(x509);
     }
     if (!new) {
 	ossl_raise(eX509CertError, NULL);
@@ -352,7 +351,7 @@ static VALUE
 ossl_x509_get_subject(VALUE self)
 {
     X509 *x509;
-    const X509_NAME *name;
+    X509_NAME *name;
 
     GetX509(self, x509);
     if (!(name = X509_get_subject_name(x509))) { /* NO DUP - don't free! */
@@ -387,7 +386,7 @@ static VALUE
 ossl_x509_get_issuer(VALUE self)
 {
     X509 *x509;
-    const X509_NAME *name;
+    X509_NAME *name;
 
     GetX509(self, x509);
     if(!(name = X509_get_issuer_name(x509))) { /* NO DUP - don't free! */
@@ -540,7 +539,11 @@ ossl_x509_sign(VALUE self, VALUE key, VALUE digest)
     const EVP_MD *md;
 
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
-    md = ossl_evp_get_digestbyname(digest);
+    if (NIL_P(digest)) {
+        md = NULL; /* needed for some key types, e.g. Ed25519 */
+    } else {
+        md = ossl_evp_get_digestbyname(digest);
+    }
     GetX509(self, x509);
     if (!X509_sign(x509, pkey, md)) {
 	ossl_raise(eX509CertError, NULL);
@@ -609,6 +612,7 @@ ossl_x509_get_extensions(VALUE self)
 {
     X509 *x509;
     int count, i;
+    X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509(self, x509);
@@ -618,7 +622,7 @@ ossl_x509_get_extensions(VALUE self)
     }
     ary = rb_ary_new2(count);
     for (i=0; i<count; i++) {
-	const X509_EXTENSION *ext = X509_get_ext(x509, i);
+	ext = X509_get_ext(x509, i); /* NO DUP - don't free! */
 	rb_ary_push(ary, ossl_x509ext_new(ext));
     }
 
@@ -707,6 +711,38 @@ ossl_x509_eq(VALUE self, VALUE other)
     return !X509_cmp(a, b) ? Qtrue : Qfalse;
 }
 
+#ifdef HAVE_I2D_RE_X509_TBS
+/*
+ * call-seq:
+ *    cert.tbs_bytes => string
+ *
+ * Returns the DER-encoded bytes of the certificate's to be signed certificate.
+ * This is mainly useful for validating embedded certificate transparency signatures.
+ */
+static VALUE
+ossl_x509_tbs_bytes(VALUE self)
+{
+    X509 *x509;
+    int len;
+    unsigned char *p0;
+    VALUE str;
+
+    GetX509(self, x509);
+    len = i2d_re_X509_tbs(x509, NULL);
+    if (len <= 0) {
+        ossl_raise(eX509CertError, "i2d_re_X509_tbs");
+    }
+    str = rb_str_new(NULL, len);
+    p0 = (unsigned char *)RSTRING_PTR(str);
+    if (i2d_re_X509_tbs(x509, &p0) <= 0) {
+        ossl_raise(eX509CertError, "i2d_re_X509_tbs");
+    }
+    ossl_str_adjust(str, p0);
+
+    return str;
+}
+#endif
+
 struct load_chained_certificates_arguments {
     VALUE certificates;
     X509 *certificate;
@@ -999,4 +1035,7 @@ Init_ossl_x509cert(void)
     rb_define_method(cX509Cert, "add_extension", ossl_x509_add_extension, 1);
     rb_define_method(cX509Cert, "inspect", ossl_x509_inspect, 0);
     rb_define_method(cX509Cert, "==", ossl_x509_eq, 1);
+#ifdef HAVE_I2D_RE_X509_TBS
+    rb_define_method(cX509Cert, "tbs_bytes", ossl_x509_tbs_bytes, 0);
+#endif
 }

data/ext/openssl/ossl_x509crl.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -27,8 +27,8 @@
 /*
  * Classes
  */
-VALUE cX509CRL;
-VALUE eX509CRLError;
+static VALUE cX509CRL;
+static VALUE eX509CRLError;
 
 static void
 ossl_x509crl_free(void *ptr)
@@ -58,14 +58,13 @@ GetX509CRLPtr(VALUE obj)
 }
 
 VALUE
-ossl_x509crl_new(const X509_CRL *crl)
+ossl_x509crl_new(X509_CRL *crl)
 {
     X509_CRL *tmp;
     VALUE obj;
 
     obj = NewX509CRL(cX509CRL);
-    /* OpenSSL 1.1.1 takes a non-const pointer */
-    tmp = crl ? X509_CRL_dup((X509_CRL *)crl) : X509_CRL_new();
+    tmp = crl ? X509_CRL_dup(crl) : X509_CRL_new();
     if(!tmp) ossl_raise(eX509CRLError, NULL);
     SetX509CRL(obj, tmp);
 
@@ -275,7 +274,7 @@ ossl_x509crl_get_revoked(VALUE self)
 {
     X509_CRL *crl;
     int i, num;
-    const X509_REVOKED *rev;
+    X509_REVOKED *rev;
     VALUE ary, revoked;
 
     GetX509CRL(self, crl);
@@ -351,7 +350,11 @@ ossl_x509crl_sign(VALUE self, VALUE key, VALUE digest)
 
     GetX509CRL(self, crl);
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
-    md = ossl_evp_get_digestbyname(digest);
+    if (NIL_P(digest)) {
+	md = NULL; /* needed for some key types, e.g. Ed25519 */
+    } else {
+	md = ossl_evp_get_digestbyname(digest);
+    }
     if (!X509_CRL_sign(crl, pkey, md)) {
 	ossl_raise(eX509CRLError, NULL);
     }
@@ -441,6 +444,7 @@ ossl_x509crl_get_extensions(VALUE self)
 {
     X509_CRL *crl;
     int count, i;
+    X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509CRL(self, crl);
@@ -451,7 +455,7 @@ ossl_x509crl_get_extensions(VALUE self)
     }
     ary = rb_ary_new2(count);
     for (i=0; i<count; i++) {
-	const X509_EXTENSION *ext = X509_CRL_get_ext(crl, i);
+	ext = X509_CRL_get_ext(crl, i); /* NO DUP - don't free! */
 	rb_ary_push(ary, ossl_x509ext_new(ext));
     }
 

data/ext/openssl/ossl_x509ext.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -41,8 +41,8 @@
  * Classes
  */
 VALUE cX509Ext;
-VALUE cX509ExtFactory;
-VALUE eX509ExtError;
+static VALUE cX509ExtFactory;
+static VALUE eX509ExtError;
 
 static void
 ossl_x509ext_free(void *ptr)
@@ -62,7 +62,7 @@ static const rb_data_type_t ossl_x509ext_type = {
  * Public
  */
 VALUE
-ossl_x509ext_new(const X509_EXTENSION *ext)
+ossl_x509ext_new(X509_EXTENSION *ext)
 {
     X509_EXTENSION *new;
     VALUE obj;
@@ -71,8 +71,7 @@ ossl_x509ext_new(const X509_EXTENSION *ext)
     if (!ext) {
 	new = X509_EXTENSION_new();
     } else {
-	/* OpenSSL 1.1.1 takes a non-const pointer */
-	new = X509_EXTENSION_dup((X509_EXTENSION *)ext);
+	new = X509_EXTENSION_dup(ext);
     }
     if (!new) {
 	ossl_raise(eX509ExtError, NULL);
@@ -347,20 +346,12 @@ ossl_x509ext_set_value(VALUE self, VALUE data)
     GetX509Ext(self, ext);
     data = ossl_to_der_if_possible(data);
     StringValue(data);
+    asn1s = X509_EXTENSION_get_data(ext);
 
-    asn1s = ASN1_OCTET_STRING_new();
-    if (!asn1s)
-        ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_new");
     if (!ASN1_OCTET_STRING_set(asn1s, (unsigned char *)RSTRING_PTR(data),
-                               RSTRING_LENINT(data))) {
-        ASN1_OCTET_STRING_free(asn1s);
-        ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set");
+			       RSTRING_LENINT(data))) {
+	ossl_raise(eX509ExtError, "ASN1_OCTET_STRING_set");
     }
-    if (!X509_EXTENSION_set_data(ext, asn1s)) {
-        ASN1_OCTET_STRING_free(asn1s);
-        ossl_raise(eX509ExtError, "X509_EXTENSION_set_data");
-    }
-    ASN1_OCTET_STRING_free(asn1s);
 
     return data;
 }
@@ -380,7 +371,7 @@ static VALUE
 ossl_x509ext_get_oid(VALUE obj)
 {
     X509_EXTENSION *ext;
-    const ASN1_OBJECT *extobj;
+    ASN1_OBJECT *extobj;
     BIO *out;
     VALUE ret;
     int nid;
@@ -392,7 +383,7 @@ ossl_x509ext_get_oid(VALUE obj)
     else{
 	if (!(out = BIO_new(BIO_s_mem())))
 	    ossl_raise(eX509ExtError, NULL);
-	i2a_ASN1_OBJECT(out, (ASN1_OBJECT *)extobj);
+	i2a_ASN1_OBJECT(out, extobj);
 	ret = ossl_membio2str(out);
     }
 
@@ -420,13 +411,13 @@ static VALUE
 ossl_x509ext_get_value_der(VALUE obj)
 {
     X509_EXTENSION *ext;
-    const ASN1_OCTET_STRING *value;
+    ASN1_OCTET_STRING *value;
 
     GetX509Ext(obj, ext);
     if ((value = X509_EXTENSION_get_data(ext)) == NULL)
 	ossl_raise(eX509ExtError, NULL);
 
-    return asn1str_to_str(value);
+    return rb_str_new((const char *)value->data, value->length);
 }
 
 static VALUE

data/ext/openssl/ossl_x509name.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -32,8 +32,8 @@
 /*
  * Classes
  */
-VALUE cX509Name;
-VALUE eX509NameError;
+static VALUE cX509Name;
+static VALUE eX509NameError;
 
 static void
 ossl_x509name_free(void *ptr)
@@ -53,7 +53,7 @@ static const rb_data_type_t ossl_x509name_type = {
  * Public
  */
 VALUE
-ossl_x509name_new(const X509_NAME *name)
+ossl_x509name_new(X509_NAME *name)
 {
     X509_NAME *new;
     VALUE obj;
@@ -62,8 +62,7 @@ ossl_x509name_new(const X509_NAME *name)
     if (!name) {
 	new = X509_NAME_new();
     } else {
-	/* OpenSSL 1.1.1 takes a non-const pointer */
-	new = X509_NAME_dup((X509_NAME *)name);
+	new = X509_NAME_dup(name);
     }
     if (!new) {
 	ossl_raise(eX509NameError, NULL);
@@ -361,7 +360,7 @@ ossl_x509name_to_a(VALUE self)
     }
     ret = rb_ary_new2(entries);
     for (i=0; i<entries; i++) {
-	if (!(entry = (X509_NAME_ENTRY *)X509_NAME_get_entry(name, i))) {
+	if (!(entry = X509_NAME_get_entry(name, i))) {
 	    ossl_raise(eX509NameError, NULL);
 	}
 	if (!i2t_ASN1_OBJECT(long_name, sizeof(long_name),
@@ -375,9 +374,8 @@ ossl_x509name_to_a(VALUE self)
 	    short_name = OBJ_nid2sn(nid);
 	    vname = rb_str_new2(short_name); /*do not free*/
 	}
-	value = (ASN1_STRING *)X509_NAME_ENTRY_get_data(entry);
-	ary = rb_ary_new3(3, vname, asn1str_to_str(value),
-                          INT2NUM(ASN1_STRING_type(value)));
+	value = X509_NAME_ENTRY_get_data(entry);
+	ary = rb_ary_new3(3, vname, asn1str_to_str(value), INT2NUM(value->type));
 	rb_ary_push(ret, ary);
     }
     return ret;

data/ext/openssl/ossl_x509req.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -27,8 +27,8 @@
 /*
  * Classes
  */
-VALUE cX509Req;
-VALUE eX509ReqError;
+static VALUE cX509Req;
+static VALUE eX509ReqError;
 
 static void
 ossl_x509req_free(void *ptr)
@@ -230,7 +230,7 @@ static VALUE
 ossl_x509req_get_subject(VALUE self)
 {
     X509_REQ *req;
-    const X509_NAME *name;
+    X509_NAME *name;
 
     GetX509Req(self, req);
     if (!(name = X509_REQ_get_subject_name(req))) { /* NO DUP - don't free */
@@ -312,7 +312,11 @@ ossl_x509req_sign(VALUE self, VALUE key, VALUE digest)
 
     GetX509Req(self, req);
     pkey = GetPrivPKeyPtr(key); /* NO NEED TO DUP */
-    md = ossl_evp_get_digestbyname(digest);
+    if (NIL_P(digest)) {
+        md = NULL; /* needed for some key types, e.g. Ed25519 */
+    } else {
+        md = ossl_evp_get_digestbyname(digest);
+    }
     if (!X509_REQ_sign(req, pkey, md)) {
 	ossl_raise(eX509ReqError, NULL);
     }
@@ -348,7 +352,7 @@ ossl_x509req_get_attributes(VALUE self)
 {
     X509_REQ *req;
     int count, i;
-    const X509_ATTRIBUTE *attr;
+    X509_ATTRIBUTE *attr;
     VALUE ary;
 
     GetX509Req(self, req);

data/ext/openssl/ossl_x509revoked.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -28,7 +28,7 @@
  * Classes
  */
 VALUE cX509Rev;
-VALUE eX509RevError;
+static VALUE eX509RevError;
 
 static void
 ossl_x509rev_free(void *ptr)
@@ -48,7 +48,7 @@ static const rb_data_type_t ossl_x509rev_type = {
  * PUBLIC
  */
 VALUE
-ossl_x509revoked_new(const X509_REVOKED *rev)
+ossl_x509revoked_new(X509_REVOKED *rev)
 {
     X509_REVOKED *new;
     VALUE obj;
@@ -57,8 +57,7 @@ ossl_x509revoked_new(const X509_REVOKED *rev)
     if (!rev) {
 	new = X509_REVOKED_new();
     } else {
-	/* OpenSSL 1.1.1 takes a non-const pointer */
-	new = X509_REVOKED_dup((X509_REVOKED *)rev);
+	new = X509_REVOKED_dup(rev);
     }
     if (!new) {
 	ossl_raise(eX509RevError, NULL);
@@ -190,7 +189,7 @@ ossl_x509revoked_get_extensions(VALUE self)
 {
     X509_REVOKED *rev;
     int count, i;
-    const X509_EXTENSION *ext;
+    X509_EXTENSION *ext;
     VALUE ary;
 
     GetX509Rev(self, rev);

data/ext/openssl/ossl_x509store.c

@@ -5,7 +5,7 @@
  */
 /*
  * This program is licensed under the same licence as Ruby.
- * (See the file 'LICENCE'.)
+ * (See the file 'COPYING'.)
  */
 #include "ossl.h"
 
@@ -108,9 +108,9 @@ ossl_verify_cb_call(VALUE proc, int ok, X509_STORE_CTX *ctx)
 /*
  * Classes
  */
-VALUE cX509Store;
-VALUE cX509StoreContext;
-VALUE eX509StoreError;
+static VALUE cX509Store;
+static VALUE cX509StoreContext;
+static VALUE eX509StoreError;
 
 static void
 ossl_x509store_mark(void *ptr)
@@ -223,7 +223,6 @@ ossl_x509store_initialize(int argc, VALUE *argv, VALUE self)
     rb_iv_set(self, "@error", Qnil);
     rb_iv_set(self, "@error_string", Qnil);
     rb_iv_set(self, "@chain", Qnil);
-    rb_iv_set(self, "@time", Qnil);
 
     return self;
 }
@@ -329,7 +328,16 @@ ossl_x509store_set_trust(VALUE self, VALUE trust)
 static VALUE
 ossl_x509store_set_time(VALUE self, VALUE time)
 {
-    rb_iv_set(self, "@time", time);
+    X509_STORE *store;
+    X509_VERIFY_PARAM *param;
+
+    GetX509Store(self, store);
+#ifdef HAVE_X509_STORE_GET0_PARAM
+    param = X509_STORE_get0_param(store);
+#else
+    param = store->param;
+#endif
+    X509_VERIFY_PARAM_set_time(param, NUM2LONG(rb_Integer(time)));
     return time;
 }
 
@@ -521,8 +529,10 @@ static void
 ossl_x509stctx_free(void *ptr)
 {
     X509_STORE_CTX *ctx = ptr;
-    sk_X509_pop_free(X509_STORE_CTX_get0_untrusted(ctx), X509_free);
-    X509_free((X509 *)X509_STORE_CTX_get0_cert(ctx));
+    if (X509_STORE_CTX_get0_untrusted(ctx))
+	sk_X509_pop_free(X509_STORE_CTX_get0_untrusted(ctx), X509_free);
+    if (X509_STORE_CTX_get0_cert(ctx))
+	X509_free(X509_STORE_CTX_get0_cert(ctx));
     X509_STORE_CTX_free(ctx);
 }
 
@@ -562,7 +572,6 @@ ossl_x509stctx_new(X509_STORE_CTX *ctx)
 static VALUE ossl_x509stctx_set_flags(VALUE, VALUE);
 static VALUE ossl_x509stctx_set_purpose(VALUE, VALUE);
 static VALUE ossl_x509stctx_set_trust(VALUE, VALUE);
-static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
 
 /*
  * call-seq:
@@ -573,7 +582,7 @@ static VALUE ossl_x509stctx_set_time(VALUE, VALUE);
 static VALUE
 ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
 {
-    VALUE store, cert, chain, t;
+    VALUE store, cert, chain;
     X509_STORE_CTX *ctx;
     X509_STORE *x509st;
     X509 *x509 = NULL;
@@ -597,8 +606,6 @@ ossl_x509stctx_initialize(int argc, VALUE *argv, VALUE self)
         sk_X509_pop_free(x509s, X509_free);
         ossl_raise(eX509StoreError, "X509_STORE_CTX_init");
     }
-    if (!NIL_P(t = rb_iv_get(store, "@time")))
-	ossl_x509stctx_set_time(self, t);
     rb_iv_set(self, "@verify_callback", rb_iv_get(store, "@verify_callback"));
     rb_iv_set(self, "@cert", cert);
 
@@ -629,7 +636,7 @@ ossl_x509stctx_verify(VALUE self)
         ossl_clear_error();
         return Qfalse;
       default:
-        ossl_raise(eX509CertError, "X509_verify_cert");
+        ossl_raise(eX509StoreError, "X509_verify_cert");
     }
 }
 
@@ -763,7 +770,7 @@ static VALUE
 ossl_x509stctx_get_curr_crl(VALUE self)
 {
     X509_STORE_CTX *ctx;
-    const X509_CRL *crl;
+    X509_CRL *crl;
 
     GetX509StCtx(self, ctx);
     crl = X509_STORE_CTX_get0_current_crl(ctx);