> From: owner-openssl-users On Behalf Of Danyk > Sent: Thursday, November 28, 2013 09:28
> I rather not use the openssl config file, and stick with aPI's. > > >is it really an octet string containing one ASCII character "5"? > no, it was just a simple example, the real values is are PRINTABLESTRING and > INTEGER. > > Is that ehat you meant: > > ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); > ASN1_OCTET_STRING_set( os, "ABC test", 8 ); > unsigned char *d = NULL; > int dlen = i2d_ASN1_OCTET_STRING( os, &d ); > ASN1_OCTET_STRING os2 = ASN1_OCTET_STRING_new(); > ASN1_OCTET_STRING_set( os2, d, dlen ); > Almost. If the actual value is not OCTET STRING, change the type created in the first two (or whatever) lines, and i2d'ed in the fourth line. And OPENSSL_free the pointer allocated here (d) after you're done with that memory. > Cause I still gey rubbish... If you mean the display by 'req -text', or 'x509 -text' for a cert, those don't know how to format extensions not implemented by the openssl library, and by default uses a simple dump format. Try using req -reqopt which is not documented but functions the same as x509 -certopt which is. Or you can see the offset and DER (up to some limit IIRC) in hex for all extensions with asn1parse, and then decode a particular value with asn1parse -strparse (except IMPLICIT tags I guess). > Is there an example of how to set such custom extension to CSR? > You have the basic logic above (followed by EXT_create_by_NID/OBJ or equivalent, adding to a stackof X509_EXTENSION, and putting in the X509_REQ as you already had). Most of the complexity normally is in handling the value(s) in the value type, especially since more recent standard extensions tend to be structures with many fields, of different types, often OPTIONAL or CHOICE, sometimes nested. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
