[openssl-users] X509 subject key identifier

Viktor Dukhovni openssl-users at dukhovni.org
Tue Sep 22 14:31:14 UTC 2015 

On Tue, Sep 22, 2015 at 09:22:09AM -0400, Ken Goldman wrote:

> 1 - Am I correct that "data" points to the internal structure, and so "skid"
> should not be freed until I'm done with "data"?

Correct.  The "data" element is part of the ASN1_STRING (of type
ASN1_OCTET_STRING).

> 2 - For my education, I thought that d2i calls converted from DER to openssl
> internal format.  Yet, the input "subject" is an X509*, the internal format.

While the certificate object is already decoded, its extensions are not,
they are stored in DER form, and you need to extract them via suitable
decoding routines.

> 3 - Are these calls documented?  They're not in my usual starting point
> 
> https://www.openssl.org/docs/man1.0.1/crypto/
> 
> nor are they on the X509 page.

Sadly, they're not.  Please open a ticket that requests these be
documented.  There's a tiny example in

    doc/HOWTO/proxy_certificates.txt

but it does not amount to documentation of the interface.
If you're really feeling generous, write the document.
The underlying interface is in crypto/x509v3/v3_lib.c:

    /*-
     * Get critical flag and decoded version of extension from a NID.
     * The "idx" variable returns the last found extension and can
     * be used to retrieve multiple extensions of the same NID.
     * However multiple extensions with the same NID is usually
     * due to a badly encoded certificate so if idx is NULL we
     * choke if multiple extensions exist.
     * The "crit" variable is set to the critical value.
     * The return value is the decoded extension or NULL on
     * error. The actual error can have several different causes,
     * the value of *crit reflects the cause:
     * >= 0, extension found but not decoded (reflects critical value).
     * -1 extension not found.
     * -2 extension occurs more than once.
     */

    void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
			 int *idx)

Only certain "standard" extensions have default "d2i" methods.  The list
is in:

    static const X509V3_EXT_METHOD *standard_exts[]

in the same file, but some legacy NetScape extensions are
defined in crypto/x509v3/v3_ia5.c:

    const X509V3_EXT_METHOD v3_ns_ia5_list[]

-- 
	Viktor.

More information about the openssl-users mailing list