Re: ASN1_generate_v3: reading X509 extension via the API
On 18 Jan 2014, at 2:25 PM, "Dr. Stephen Henson" wrote: > Have a look at demos/x509/mkcert.c I eventually found it was as simple as this: *extension = X509V3_EXT_conf(NULL, NULL, (char *)name, (char *)val); What threw me was whether it was ok to pass NULL or not (it is). Regards, Graham -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ASN1_generate_v3: reading X509 extension via the API
On Sat, Jan 18, 2014, Graham Leggett wrote: > > Some more digging and I still can't find how openssl parses extensions. > > Reverse engineering the code, it appears that ASN1_generate_v3() expects to > be passed a parameter string that is a name value pair separated with a > colon, which the string "nonRepudiation" isn't. > > I tried passing the string "OID:1.3.6.1.5.5.7.3.2" for the extendedKeyUsage > extension, and ASN1_generate_v3() goes through the motions, but the client > side complains that the extendedKeyUsage value in the generated certificate > is invalid. > > Can anyone explain what the correct sequence of API calls should be to > convert "nonRepudiation" and "clientAuth" into something that openssl can > add as an extension to a certificate? > Have a look at demos/x509/mkcert.c Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ASN1_generate_v3: reading X509 extension via the API
On 18 Jan 2014, at 4:09 AM, Graham Leggett wrote: > I am trying to load the name and value of an X509 extension programmatically > via the API (in other words, the openssl.cnf file isn't being used), and I am > struggling with openssl telling me that the tag doesn't exist. > > The extension I want to load has the name "keyUsage" and value > "nonRepudiation,digitalSignature,keyEncipherment", and the error I get looks > like this: > > 139684350600856:error:0D0B10C2:asn1 encoding routines:ASN1_CB:unknown > tag:asn1_gen.c:303:tag=nonRepudiation,digitalSignature,keyEncipherment Some more digging and I still can't find how openssl parses extensions. Reverse engineering the code, it appears that ASN1_generate_v3() expects to be passed a parameter string that is a name value pair separated with a colon, which the string "nonRepudiation" isn't. I tried passing the string "OID:1.3.6.1.5.5.7.3.2" for the extendedKeyUsage extension, and ASN1_generate_v3() goes through the motions, but the client side complains that the extendedKeyUsage value in the generated certificate is invalid. Can anyone explain what the correct sequence of API calls should be to convert "nonRepudiation" and "clientAuth" into something that openssl can add as an extension to a certificate? Regards, Graham -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ASN1_generate_v3: reading X509 extension via the API
Hi all, I am trying to load the name and value of an X509 extension programmatically via the API (in other words, the openssl.cnf file isn't being used), and I am struggling with openssl telling me that the tag doesn't exist. The extension I want to load has the name "keyUsage" and value "nonRepudiation,digitalSignature,keyEncipherment", and the error I get looks like this: 139684350600856:error:0D0B10C2:asn1 encoding routines:ASN1_CB:unknown tag:asn1_gen.c:303:tag=nonRepudiation,digitalSignature,keyEncipherment The code that is trying to load in the extension looks like this: /* find the name of the extension */ if (!(obj = OBJ_txt2obj(name, 0))) { // error handler, this works fine when name has value "keyUsage" } type = ASN1_generate_v3((char *)val, NULL); if (type == NULL) { // we bomb out here with val as "nonRepudiation,digitalSignature,keyEncipherment" When I initialise openssl, I run the following two functions: OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); Can anyone shed some light on what I might be doing wrong? The code above was obtained by reverse engineering openssl itself, what is throwing me is that I can't see how openssl understands the words "nonRepudiation,digitalSignature,keyEncipherment" when my code doesn't. Regards, Graham -- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org