> From: owner-openssl-users On Behalf Of Danyk > Sent: Tuesday, November 26, 2013 06:07
> I am not using the openssl commandline, I have to use the API's (the > openssl.cng is not used/parsed when using API's, right?) > Mostly up to you. If you call the simple wrapper OPENSSL_config(), or the more detailed NCONF_ and CONF_ routines, it uses a config file, which you can select to be default openssl.cnf or another one. (There is also an option to automatically OPENSSL_config when you call OPENSSL_add_all_algorithms, which is rather a kludge. See CHANGES for 0.9.7.) > Regarding "the value in an extension is an OCTET STRING containing > the DER of the value, not the value itself", so basicly do I need to convert > the string to DER encoded? > > I tried : > ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); > unsigned char *d = "5"; > int dlen = i2d_ASN1_OCTET_STRING( os, &d ); > ASN1_OCTET_STRING_set( os, d, dlen ); > extension = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); > > but I get rubbish (space between the OID and the value): > 1.3.6.1.4.1.19718.1000.1.2.2: > . > 5 > > Am I using the correct API (i2d_ASN1_OCTET_STRING/ i2d_ASN1_INTEGER)? > What am i missing? > That's not valid C. You're overwriting a string literal (and with a useless value). On some C implementations you're lucky and that will crash. As it is you apparently got confusing garbage from nearby memory. You need to first get the value in its correct type -- is it really an octet string containing one ASCII character "5"? That's not impossible, but character data in ASN.1 is usually represented in one of its several character string types; PrintableString and UTF-8 are IME the most common. If this extension is for interoperation with any other system(s), you need to agree the ASN.1 type(s) with them. If you're creating it for your own use, pick what you want -- but if it's for your own use including your own CA you could do at CA issue instead of in CSR. Then you must either get enough buffer space and i2d the value into it -- using a temporary pointer whose value you *don't* use subsequently -- or pass a pointer to an initially null pointer, which openssl will auto allocate and you must OPENSSL_free when done. If you want to manage yourself, you can call i2d with a null pointer (to pointer) to compute the space needed, allocate that, use it, and then free it when done. man i2d_X509 explains the basic API used by all i2d and d2i routines, along with X509 (cert) specifics you should ignore here. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
