Thanks for the explanation Steve.....
I think I see how this function works now.
One of the things in OpenSSL I often find myself struggling with is "to free
or not to free" :-)
So any changes in OpenSSL that simplifies this task are appreciated.
Kim Hellan
> -----Oprindelig meddelelse-----
> Fra: Dr Stephen Henson [SMTP:[EMAIL PROTECTED]]
> Sendt: 17. november 1999 14:19
> Til: [EMAIL PROTECTED]
> Emne: Re: SV: X509_NAME_ENTRY problems
>
> [EMAIL PROTECTED] wrote:
> >
> > I see your point and I agree it is a stupid suggestion :-)
> > But still. why does the code below then fail:
> > ...
> > ....
> > X509_NAME_ENTRY *pX509NameEntry = NULL;
> > X509_REQ *pRequest = X509_REQ_new();
> > X509_NAME *pX509Name = X509_NAME_new();
> >
> > // Setup Country
> > X509_NAME_ENTRY_create_by_NID(&pX509NameEntry, NID_countryName,
> > V_ASN1_PRINTABLESTRING, (unsigned char *) "DK", 2);
> > X509_NAME_add_entry(pX509Name, pX509NameEntry, 1, 1);
> > X509_NAME_ENTRY_free(pX509NameEntry);
> >
> > // Setup Organisation
> > X509_NAME_ENTRY_create_by_NID(&pX509NameEntry,
> > NID_organizationName,V_ASN1_PRINTABLESTRING,(unsigned char *) "ACME",
> 4);
> >
> > The call above cause an access violation. Why ???
> > If I set pX509NameEntry=NULL before I make the call I have no
> problems.
> >
>
> This is because the first argument to X509_NAME_ENTRY_create_by_NID is
> to allow an already existing X509_NAME_ENTRY structure to be reused.
> Once you free it up the data it points to is invalid and so it crashes
> when its trying to reuse it.
>
> There are several ways to do things...
>
> 1. Use the argument properly...
>
> X509_NAME_ENTRY *pX509NameEntry = NULL;
> X509_REQ *pRequest = X509_REQ_new();
> X509_NAME *pX509Name = X509_NAME_new();
>
> // Setup Country
> X509_NAME_ENTRY_create_by_NID(&pX509NameEntry, NID_countryName,
> V_ASN1_PRINTABLESTRING, (unsigned char *) "DK", 2);
> X509_NAME_add_entry(pX509Name, pX509NameEntry, 1, 1);
>
> // Setup Organisation
> X509_NAME_ENTRY_create_by_NID(&pX509NameEntry,
> NID_organizationName,V_ASN1_PRINTABLESTRING,(unsigned char *) "ACME",
> 4);
>
> Note this version doesn't free up pX509NameEntry so it can be reused.
> When you have done all the X509_NAME_ENTRY_create_by_NID calls with it
> then you should free it up.
>
> 2. Alternatively:
>
> X509_NAME_ENTRY *pX509NameEntry = NULL;
> X509_REQ *pRequest = X509_REQ_new();
> X509_NAME *pX509Name = X509_NAME_new();
>
> // Setup Country
> pX509NameEntry = X509_NAME_ENTRY_create_by_NID(NULL, NID_countryName,
> V_ASN1_PRINTABLESTRING, (unsigned char *) "DK", 2);
> X509_NAME_add_entry(pX509Name, pX509NameEntry, 1, 1);
> X509_NAME_ENTRY_free(pX509NameEntry);
>
> // Setup Organisation
> pX509NameEntry = X509_NAME_ENTRY_create_by_NID(NULL,
> NID_organizationName,V_ASN1_PRINTABLESTRING,(unsigned char *) "ACME",
> 4);
>
> This version just has a new X509_NAME_ENTRY created each time and
> doesn't try to reuse it.
>
> Couple of other notes. You can set the final argument of
> X509_NAME_ENTRY_create_by_NID to -1 and the function will work out the
> length of the passed string for you.
>
> You might want to change the values of the last two arguments passed to
> X509_NAME_add_entry if you just want a normal DN (not the multivalued
> sort) -1, 0 should just add it to the end which is what you normally
> want.
>
> This will also be easier in OpenSSL 0.9.5. I've combined several of the
> functions all you'll need to do is:
>
> X509_NAME_add_entry_by_NID(pX509Name, NID_countryName, MBSTRING_ASC,
> (unsigned char *) "DK", -1, -1, 0);
>
> and it will allocate and free structures and work out things like the
> corrrect string type. Or if looking up NIDs is too painful:
>
> X509_NAME_add_entry_by_txt(pX509Name, "CN", MBSTRING_ASC,
> (unsigned char *) "DK", -1, -1, 0);
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
