On 18 Jan 2014, at 4:09 AM, Graham Leggett <minf...@sharp.fm> wrote: > I am trying to load the name and value of an X509 extension programmatically > via the API (in other words, the openssl.cnf file isn't being used), and I am > struggling with openssl telling me that the tag doesn't exist. > > The extension I want to load has the name "keyUsage" and value > "nonRepudiation,digitalSignature,keyEncipherment", and the error I get looks > like this: > > 139684350600856:error:0D0B10C2:asn1 encoding routines:ASN1_CB:unknown > tag:asn1_gen.c:303:tag=nonRepudiation,digitalSignature,keyEncipherment
Some more digging and I still can't find how openssl parses extensions. Reverse engineering the code, it appears that ASN1_generate_v3() expects to be passed a parameter string that is a name value pair separated with a colon, which the string "nonRepudiation" isn't. I tried passing the string "OID:1.3.6.1.5.5.7.3.2" for the extendedKeyUsage extension, and ASN1_generate_v3() goes through the motions, but the client side complains that the extendedKeyUsage value in the generated certificate is invalid. Can anyone explain what the correct sequence of API calls should be to convert "nonRepudiation" and "clientAuth" into something that openssl can add as an extension to a certificate? Regards, Graham -- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
