Ok, here is the code that I use to add extensions to a "to-be-signed"
certificate:
bool PKI_CERT::Add_CertExtensions(const HashTable_String * Ext, X509V3_CTX
*ctx, X509 *cert) const
{
X509_EXTENSION *ext;
long i;
const char * name;
const char * value;
for(i=0;i<Ext->EntriesCount();i++)
{
name=Ext->GetName(i);
value=Ext->Get(i);
if(!name || !value) continue;
if(!(ext = X509V3_EXT_conf(NULL, ctx, (char*)name, (char*)value)))
{
return false;
}
if(!X509_add_ext(cert, ext, -1))
{
X509_EXTENSION_free(ext);
return false;
}
X509_EXTENSION_free(ext);
}
return true;
}
Typicaly name and values would have a value something like this
name="crlDistributionPoint"
value="URI:ldap://host/uid=ca,ou=CAs,dc=host,dc=org?certificateRevocationLis
t"
As you can see I use X509V3_EXT_conf, and I pass NULL for the LHASH
parameter.
I use X509V3_EXT_conf, because I am not really desiring to reimplement the
10 functions that are below X509V3_EXT_conf, just to change one line in
X509V3_parse_list. That would just not be a great idea, I don't want to have
to maintain code that belongs to OpenSSL.
Fr�d�ric Giudicelli
http://www.newpki.org
----- Original Message -----
From: "Richard Levitte - VMS Whacker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, October 13, 2003 10:54 PM
Subject: Re: Proposed modification for Extension Parser
> In message <[EMAIL PROTECTED]> on Mon, 13 Oct 2003
21:04:40 +0200, Fr�d�ric Giudicelli <[EMAIL PROTECTED]> said:
>
> groups> Yes I knew that, but there is a problem for applications that
> groups> use libcrypto, NewPKI for example :)
> groups> I do not use the CONF struct (not can I), and therefore the @
> groups> syntax becomes unusable.
> groups> Now, I just don't know what to do.
>
> What you're saying is very confusing. You mentioned
> X509V3_parse_list(), which is very typically used when analysing the
> contents of a configuration file for X.509v3 extensions.
>
> What exactly is X509V3_parse_list() used for in the context where it
> fails? And if you are in power to code the parsing, would you
> consider writing your own parsing code to do the stuff you want done?
>
> groups> ----- Original Message -----
> groups> From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
> groups> To: <[EMAIL PROTECTED]>
> groups> Sent: Monday, October 13, 2003 7:20 PM
> groups> Subject: Re: Proposed modification for Extension Parser
> groups>
> groups>
> groups> > On Mon, Oct 13, 2003, Fr�d�ric Giudicelli wrote:
> groups> >
> groups> > > Hello,
> groups> > >
> groups> > > The following problem is well known, it's about commas in url
for
> groups> > > extensions' value.
> groups> > >
> groups> > > Here is what a normal LDAP syntax should be:
> groups> > >
ldap://host/uid=ca,ou=CAs,dc=host,dc=org?certificateRevocationList
> groups> > >
> groups> > > But since the openssl conf parser interprets the commas as a
value
> groups> > > serparator, the ldap syntax becomes:
> groups> > >
ldap://host/uid=ca/ou=CAs/dc=host/dc=org?certificateRevocationList
> groups> > >
> groups> > > However many clients do not understand this syntax (IE for
example,
> groups> sorry
> groups> > > :) ).
> groups> > >
> groups> > > After cheking the code the problem comes from this function
> groups> > > "X509V3_parse_list" in "crypto/x509v3/v3_utl.c".
> groups> > > I propose to enable commas in extensions syntax by doubling
them, so
> groups> that
> groups> > > the syntax becomes something like this:
> groups> > >
ldap://host/uid=ca,,ou=CAs,,dc=host,,dc=org?certificateRevocationList
> groups> > >
> groups> > > This doesn't change the current interpretation since the
second comma
> groups> would
> groups> > > generate an empty value.
> groups> > >
> groups> > > This patch has been generated from openssl 0.9.7b.
> groups> > >
> groups> >
> groups> > This is unnecessary. Commas are only interpreted as value
separators in
> groups> the
> groups> > single line extension format. If you use the multiline format as
> groups> documented in
> groups> > openssl.cnf commas have no special meaning and can readily be
included.
> groups> >
> groups> > For example:
> groups> >
> groups> > [EMAIL PROTECTED]
> groups> >
> groups> > [altsect]
> groups> >
> groups> > URI=ldap://foo=x,bar=y
> groups> >
> groups> > should be OK. Check the docs for the exact syntax.
> groups> >
> groups> > Steve.
> groups> > --
> groups> > Dr Stephen N. Henson.
> groups> > Core developer of the OpenSSL project: http://www.openssl.org/
> groups> > Freelance consultant see:
http://www.drh-consultancy.demon.co.uk/
> groups> > Email addresses, PGP and S/MIME: see homepage.
>
> --
> Richard Levitte \ Tunnlandsv�gen 3 \ [EMAIL PROTECTED]
> [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47
> \ SWEDEN \ or +46-708-26 53 44
> Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
