On Tue, Feb 19, 2013, Pankaj Chordiya wrote:
> Hi
>
> I am using following sequence of x509 calls to generate self signed
> certificate from existing original certificate in DER format.
>
>
> X509 *cert;
> X509 *orig_cert;
>
> orig_cert = d2i_X509_fp("orignal_cert.der", NULL);
> cert = d2i_X509_fp("orignal_cert.der", NULL);
>
> /* Set Issuer name same as subject name of original certificate */
> X509_set_issuer_name( cert, X509_get_subject_name(orig_cert);
>
> /* Delete extensions */
> while (X509_get_ext_count(cert) > 0)
> X509_delete_ext(cert, 0);
>
> /* Set public key */
>
> /* Get certificate signed */
>
> /* Write into file */
> i2d_X509_fp(FP, cert);
>
>
> I find that generated certificate is same as original certificate and my
> modifications are
> not there in generated certificate. These sequence used to work in
> openssl-0.9.8n.
>
> Looks like openssl API, caching DER encoded name strings when called
> d2i_X509 and
> using it during i2d_X509 calls.
>
> Does anybody knows, what have changed in 1.0.1c because of that
> modification in X509
> structure is not reflecting when convert it to back DER format?
>
The encoding of the signed portion of the certificate is cached: this is a
work around for some weird encoding that have been seen.
With your code that certificate wont be self signed because the signature
is invalid. If you have the private key and call X509_sign() that will cause
the certificate to be re-encoded.
If you don't have the private key and don't mind the bad signature you have to
manually indicate the cached encoding is invalid. There isn't a function to do
that so you have to modify the structure internals with:
cert->cert_info->enc.modified = 1;
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
