sk_X509_new_reserve
*out = sk_X509_new_reserve(NULL, sk_X509_num(certs));
STACK_OF(X509) *encryption_recips = sk_X509_new_reserve(NULL, 1);
if ((*certs = sk_X509_new_reserve(NULL, n)) == NULL)
untrusted = sk_X509_new_reserve(NULL, sk_X509_num(certs) + sk_X509_num(token->d.sign->cert));