> From: owner-openssl-users On Behalf Of Danyk > Sent: Monday, November 25, 2013 07:26
> Im trying to add a custom Extension to a CSR using openssl API's: > I assume you know 'req' can be configured to create custom extensions (if a bit clumsily) but you have reasons for coding it yourself instead. > struct stack_st_X509_EXTENSION *exts = NULL; > X509_EXTENSION *ex; > exts = sk_X509_EXTENSION_new_null(); > ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); > nid = OBJ_create("1.3.6.1.4.1.12345", "End Entry Type", "My End Entry > Type"); > ASN1_OCTET_STRING_set(os,(unsigned char*)"critical,5",strlen("critical,5")); Bad value, see below. > ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); > sk_X509_EXTENSION_push(exts, ex); > X509_REQ_add_extensions(x, exts); > > When I parse the CSR I see that the extension displayed is actually the OID > , and not the extension name: > > X509v3 extensions: > 1.3.6.1.4.1.12345: > critical,5 > > Am I adding the extension in the correct way? > Should I change some setting in the openssl.cnf? > How can insert the extension name :"End Entry Type" instaed of the OID > "1.3.6.1.4.1.12345"? > You can't put the name in the actual CSR (or cert or CRL) extension. The extension uses the OID, that's how extensions work. You need the program that parses and display to map OID to name the same way your creator program did. If you are using commandline 'req' that, like all commandlines now but not before 1.0.0 IIRC, uses the 'modules' part of the config file which includes oid_section. Thus putting your OID(s) in the section named by oid_section (which in the distro version is [new_oids]) should work. For any other program, it may depend on the program. Having put your OID(s) in a config file, you could then use that config file in your program and not need to explicitly OBJ_create. You don't want the string "critical,5" as the value. When you use a "value" like critical,whatever in a config file, openssl actually sets the critical flag and parses whatever for the value. It is the flag cert users should use, if your CSR extension ends up in a cert. Also, the value in an extension is an OCTET STRING containing the DER of the value, not the value itself. The openssl config routines do this for you, but if you're coding it yourself you need to do it yourself. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org