Re: Proposed modification for Extension Parser

Mon, 13 Oct 2003 14:22:40 -0700 

On Mon, Oct 13, 2003, Fr�d�ric Giudicelli wrote:

> Ok, here is the code that I use to add extensions to a "to-be-signed"
> certificate:
> 
> bool PKI_CERT::Add_CertExtensions(const HashTable_String * Ext, X509V3_CTX
> *ctx, X509 *cert) const
> {
>  X509_EXTENSION *ext;
>  long i;
>  const char * name;
>  const char * value;
> 
>  for(i=0;i<Ext->EntriesCount();i++)
>  {
>   name=Ext->GetName(i);
>   value=Ext->Get(i);
>   if(!name || !value) continue;
> 
>   if(!(ext = X509V3_EXT_conf(NULL, ctx, (char*)name, (char*)value)))
>   {
>    return false;
>   }
> 
>   if(!X509_add_ext(cert, ext, -1))
>   {
>     X509_EXTENSION_free(ext);
>     return false;
>   }
>   X509_EXTENSION_free(ext);
>  }
> 
>  return true;
> }
> 
> Typicaly name and values would have a value something like this
> name="crlDistributionPoint"
> value="URI:ldap://host/uid=ca,ou=CAs,dc=host,dc=org?certificateRevocationLis
> t"
> 
> As you can see I use X509V3_EXT_conf, and I pass NULL for the LHASH
> parameter.
> I use X509V3_EXT_conf, because I am not really desiring to reimplement the
> 10 functions that are below X509V3_EXT_conf, just to change one line in
> X509V3_parse_list. That would just not be a great idea, I don't want to have
> to maintain code that belongs to OpenSSL.
> 

You have several options. You can populate the structure yourself and the add
it to the certificate using X509_add_ext_i2d() then you can use whatever
syntax you want.

Alternatively you can use the NCONF code to write your own handler and use
X509V3_EXT_nconf() instead: new code should used the nconf variants anyway.

You'll have to do this if you want to handle more complex extensions like
CertificatePolicies or for the new functionality like the dirName forms such
as subjectAltName in 0.9.8.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email addresses, PGP and S/MIME: see homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to