RE: Adding a custom extension to a CSR
I will run a debugger, but this is how I freed: ASN1_OCTET_STRING_free(os1); ASN1_PRINTABLESTRING_free(tmp_os); ASN1_INTEGER_free(int1); X509_REQ_add_extensions(x, st_exts); -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47601.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
I used this , and it seems to work great (parsed it with ASN1): st_exts= sk_X509_EXTENSION_new_null(); X509_REQ *x; /*add INTEGER EXT*/ int1 = ASN1_INTEGER_new(); ASN1_INTEGER_set(int1, 1); os1 = M_ASN1_OCTET_STRING_new(); os1-data = NULL; n = i2d_ASN1_INTEGER(int1,os1-data); os1-length = n; sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj1, 0,os1)); /*add PRINTABLESTRING EXT*/ tmp_os = M_ASN1_PRINTABLESTRING_new(); tmp_os-type = V_ASN1_PRINTABLESTRING; ASN1_STRING_set(tmp_os, (const unsigned char *)TEST, 4 ); os2 = M_ASN1_OCTET_STRING_new(); os-data = NULL; n = i2d_ASN1_PRINTABLESTRING( tmp_os, os2-data ); os2-length = n; /* add to the extension stack.*/ sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj2, 0, os2)); /* Now we've created the extensions we add them to the request */ X509_REQ_add_extensions(x, st_exts); I freed all the ASN1 structs at the end... Did I add the extension the way you meant? Do I need to free anything else? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47560.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
Almost. If the actual value is not OCTET STRING, change the type created in the first two (or whatever) lines, and i2d'ed in the fourth line. And OPENSSL_free the pointer allocated here (d) after you're done with that memory. I need to add an INTEGER extensions and PRINTABLESTRING extension. I tried folowing your instructions, and used an exmple from this forum, but still get rubbish //1) create the integer and populate it: nid = OBJ_create( 1.3.6.1.4.1.12345, EndEntityType, EndEntityType); ASN1_OBJECT* obj = OBJ_nid2obj(nid); ASN1_INTEGER * int1 = ASN1_INTEGER_new(); ASN1_INTEGER_set(int1, 1); //2) figure out the length it would take when converted from internal into der/asn1 wire encoding: int n = i2d_ASN1_INTEGER(int1,NULL); //3) Ensure we have the needed space for that: ASN1_OCTET_STRING data1; data1.data = malloc(n); data1.length = n; //4) Fill out the ASN1 string by translating it again - this time into the buffer. unsigned char * p =M_ASN1_STRING_data(data1); i2d_ASN1_INTEGER(int1,p); //5) add to the extension stack. sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj, 0, data1)); what is wrong with this? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47537.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
I rather not use the openssl config file, and stick with aPI's. is it really an octet string containing one ASCII character 5? no, it was just a simple example, the real values is are PRINTABLESTRING and INTEGER. Is that ehat you meant: ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set( os, ABC test, 8 ); unsigned char *d = NULL; int dlen = i2d_ASN1_OCTET_STRING( os, d ); ASN1_OCTET_STRING os2 = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set( os2, d, dlen ); Cause I still gey rubbish... Is there an example of how to set such custom extension to CSR? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47501.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
I am not using the openssl commandline, I have to use the API's (the openssl.cng is not used/parsed when using API's, right?) Regarding the value in an extension is an OCTET STRING containing the DER of the value, not the value itself, so basicly do I need to convert the string to DER encoded? I tried : ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); unsigned char *d = 5; int dlen = i2d_ASN1_OCTET_STRING( os, d ); ASN1_OCTET_STRING_set( os, d, dlen ); extension = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); but I get rubbish (space between the OID and the value): 1.3.6.1.4.1.19718.1000.1.2.2: . 5 Am I using the correct API (i2d_ASN1_OCTET_STRING/ i2d_ASN1_INTEGER)? What am i missing? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47466.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Adding a custom extension to a CSR
Hi all, Im trying to add a custom Extension to a CSR using openssl API's: struct stack_st_X509_EXTENSION *exts = NULL; X509_EXTENSION *ex; exts = sk_X509_EXTENSION_new_null(); ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); nid = OBJ_create(1.3.6.1.4.1.12345, End Entry Type, My End Entry Type); ASN1_OCTET_STRING_set(os,(unsigned char*)critical,5,strlen(critical,5)); ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); sk_X509_EXTENSION_push(exts, ex); X509_REQ_add_extensions(x, exts); When I parse the CSR I see that the extension displayed is actually the OID , and not the extension name: X509v3 extensions: 1.3.6.1.4.1.12345: critical,5 Am I adding the extension in the correct way? Should I change some setting in the openssl.cnf? How can insert the extension name :End Entry Type instaed of the OID 1.3.6.1.4.1.12345? Thanks, Dany -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org