Thanks a lot Dave. That helped. Bye Dirk
On 23.11.2017 18:04, Dave Coombs wrote: > Hi Dirk, > > First point: you are populating distpoint->name.relativename (which is a > union member) but setting the discriminator distpoint->type to 0, which > indicates to use fullname rather than relativename. So your structure will > not be interpreted correctly. > > In any case, I think you want to populate fullname, instead of relativename. > You're using a url, not a relative DN. > > Make a GENERAL_NAMES, and add to it a GENERAL_NAME whose type is GEN_URI, and > whose value (as an IA5String) is the url you want, and then point > distpoint->name.fullname at the GENERAL_NAMES. > > And, as before, you can do this multiple times and add additional DIST_POINTs. > > Good luck, > -Dave > > >> On Nov 23, 2017, at 03:54, Dirk Menstermann <noadsple...@web.de> wrote: >> Thanks Dave, >> >> It seems that I do something wrong when filling the STACK_OF(DIST_POINT): >> >> X509_NAME_ENTRY *nameEntry = X509_NAME_ENTRY_new(); >> X509_NAME_ENTRY_set_data (nameEntry, V_ASN1_IA5STRING /*MBSTRING_ASC*/, >> (const >> unsigned char*) "http://example.com/";, 19); >> >> STACK_OF (X509_NAME_ENTRY) *nameStack = sk_X509_NAME_ENTRY_new_null(); >> sk_X509_NAME_ENTRY_push (nameStack, nameEntry); >> >> DIST_POINT *distPoint = DIST_POINT_new(); >> distPoint->distpoint = DIST_POINT_NAME_new(); >> distPoint->distpoint->name.relativename = nameStack; >> distPoint->distpoint->type = 0; >> >> STACK_OF(DIST_POINT) *distPoints = sk_DIST_POINT_new_null(); >> sk_DIST_POINT_push (distPoints, distPoint); >> X509_EXTENSION *ext = X509V3_EXT_i2d (NID_crl_distribution_points, 0, >> distPoints); >> X509_add_ext (cert, ext, -1); >> X509_EXTENSION_free (ext); >> >> The extension will be added, but is empty. >> >> Do you see where it breaks? >> Dirk >> >> On 22.11.2017 15:04, Dave Coombs wrote: >>> You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where >>> sk is a STACK_OF(DIST_POINT) that you have previously filled with multiple >>> URIs. >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
