On Sun, 23 Dec 2001, Michael Pogrebisky wrote: > Hi all, > > Recently I needed to perform the following task: given a certificate request > (PKCS10 structure), make another one, with just a different public key. > So, I've written the following piece of code to do this: > > // Declarations > EVP_PKEY pkey; > FILE* infile, *outfile; > > // Opening the input and output files > ... > // Creating the public key > ... > > // Read the PKCS10 > X509_REQ* req = PEM_read_X509_REQ(infile, NULL, NULL, NULL); > > // Set certificate request public key > if(!X509_REQ_set_pubkey(req, pkey)) > return -1; > > // Sign upon the request > if(!X509_REQ_sign(req, pkey, EVP_sha1())) > return -1; > > // Write the new certificate into the output file > if(!PEM_write_X509_REQ(outfile, req)) > return -1; > > Everything worked as expected (no errors were reported). However, looking at > the output file after the execution, I discovered the request I got was the > same as the input one! > I took me several hours (and drove me crazy!) to find the catch. I needed to > clear the cached values in the req_info structure, as follows: > > req->req_info->asn1 = NULL; > req->req_info->length = 0; > > Well, now it works. But I think the behavior described above is buggy.
This feature is useful for signature verification. Namely, to avoid a chance of not-the-same data decoded and encoded again. Saving "raw DER" encoding is the way to deal with features introduced by other software. > Can someone, please, fix it in the future releases of OpenSSL? It's here in 0.9.7-dev as well. One could trace ASN1_AFLG_ENCODING flag usage. happy hacking, Vadim > Thanks, > > Michael Pogrebisky, > Software developer at Mercury Interactive Inc., Israel. > ------------------------------------------------------- > Work phone: +972-(0)3-5399258 > Home phone: +972-(0)3-9610824 > Mobile phone: +972-(0)54-497123 > Work fax: +972-(0)3-5331617 > E-mail: [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
