Hi, I am using the examples from the O'Reilly book "Network Security with OpenSSL" (X.509 section) to create a CSR, push a custom extension into it and sign that CSR with a given private key. This - in general - works OK, but when I want to use the resulting certificate chain (I have the signing certificate and a couple more in there) for anything secure (i.e. mutual authentication), I am greeted with failure. I wrote an extremely simple program to check what might be wrong with the certificate stack and this seems to be the problem:
15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field missing:tasn_dec.c:391:Field=d, Type=RSA 15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:224: I figure that there is something wrong with the way I create the ASN.1 object and push it onto the extension stack for the CSR. This looks like so in my code: ASN1_OBJECT *obj; ASN1_OCTET_STRING *ex_oct = NULL; X509_EXTENSION *ex_execpol = NULL; new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN); obj = OBJ_nid2obj(new_nid); if (!(ex_oct = ASN1_OCTET_STRING_new())) { int_error("Error creating custom ASN.1 struct"); } extlist = sk_X509_EXTENSION_new_null(); ASN1_OCTET_STRING_set(ex_oct,policy,-1); if (!(ex_execpol = X509_EXTENSION_create_by_OBJ(&ex_execpol, obj, 0, ex_oct))) { //3rd parameter is critical/noncritical int_error("Error creating X509 extension for execpolicy"); } if (!(sk_X509_EXTENSION_push (extlist, ex_execpol))) { int_error("Error pushing custom extension to stack"); } if (!(X509_REQ_add_extensions (req, extlist))) { int_error ("Error adding ExecPolicy to the request"); } sk_X509_EXTENSION_pop_free (extlist, X509_EXTENSION_free); } Later, I am getting the extension stack from the CSR... if (!(req_exts = X509_REQ_get_extensions (req))) int_error ("Error getting the request's extensions"); int new_nid; ASN1_OBJECT *obj; new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN); execPolicy_pos = X509v3_get_ext_by_NID (req_exts, new_nid, -1); execPolicy = X509v3_get_ext (req_exts, execPolicy_pos); fputc ('\n', stdout); ...and add them to the certificate before signing: /* add x509v3 extensions as specified */ X509V3_set_ctx (&ctx, CAcert, cert, NULL, NULL, 0); for (i = 0; i < EXT_COUNT; i++) { X509_EXTENSION *ext; if (!(ext = X509V3_EXT_conf (NULL, &ctx, ext_ent[i].key, ext_ent[i].value))) { fprintf (stderr, "Error on \"%s = %s\"\n", ext_ent[i].key, ext_ent[i].value); int_error ("Error creating X509 extension object"); } // Mark purpose as critical if (!(X509_EXTENSION_set_critical (ext, 1))) { fprintf(stderr, "Error setting Extension to critical: %s", ext_ent[i].key); int_error("Error setting Extension to critical"); } if (!X509_add_ext (cert, ext, -1)) { fprintf (stderr, "Error on \"%s = %s\"\n", ext_ent[i].key, ext_ent[i].value); int_error ("Error adding X509 extension to certificate"); } X509_EXTENSION_free (ext); } /* add the extension in the request to the cert */ if (!X509_add_ext (cert, execPolicy, -1)) int_error ("etc"); Is there anything I am doing horribly wrong along the way? Any pointers where the missing field could be? I guess it can only be in the custom ASN.1 structure I have created for my own extension. Regards and thanks, --ck ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]