From dabc6cd2a5f0eaae985be39bf6b4a1c9ee5cb602 Mon Sep 17 00:00:00 2001
From: Chenjp <ch_jp@msn.com>
Date: Thu, 26 Feb 2026 14:54:14 +0800
Subject: [PATCH] Unhappy cert

Enhance handling of unhappy certificate,
---
 native/src/ssl.c        | 8 ++++++--
 native/src/sslcontext.c | 4 +---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/native/src/ssl.c b/native/src/ssl.c
index 232faa1f0..6e9e58c70 100644
--- a/native/src/ssl.c
+++ b/native/src/ssl.c
@@ -908,8 +908,7 @@ TCN_IMPLEMENT_CALL(jobjectArray, SSL, getPeerCertChain)(TCN_STDARGS,
 
         buf = NULL;
         length = i2d_X509(cert, &buf);
-        if (length < 0) {
-            OPENSSL_free(buf);
+        if (length <= 0) {
             /* In case of error just return an empty byte[][] */
             return (*e)->NewObjectArray(e, 0, byteArrayClass, NULL);
         }
@@ -953,6 +952,11 @@ TCN_IMPLEMENT_CALL(jbyteArray, SSL, getPeerCertificate)(TCN_STDARGS,
 
     length = i2d_X509(cert, &buf);
 
+    if (length <= 0) {
+        X509_free(cert);
+        return NULL;
+    }
+
     bArray = (*e)->NewByteArray(e, length);
     (*e)->SetByteArrayRegion(e, bArray, 0, length, (jbyte*) buf);
 
diff --git a/native/src/sslcontext.c b/native/src/sslcontext.c
index eb9b49ec3..93e7f278d 100644
--- a/native/src/sslcontext.c
+++ b/native/src/sslcontext.c
@@ -1754,11 +1754,9 @@ static int SSL_cert_verify(X509_STORE_CTX *ctx, void *arg) {
 
         buf = NULL;
         length = i2d_X509(cert, &buf);
-        if (length < 0) {
+        if (length <= 0) {
             // In case of error just return an empty byte[][]
             array = (*e)->NewObjectArray(e, 0, byteArrayClass, NULL);
-            // We need to delete the local references so we not leak memory as this method is called via callback.
-            OPENSSL_free(buf);
             break;
         }
         bArray = (*e)->NewByteArray(e, length);