<div dir="ltr">







<p class=""><span class="">Hi,</span></p><p class=""><span class=""><br></span></p><p class=""><span class="">I'm trying to add extension dirName to SAN in CSR programmatically.</span></p><p class=""><span class="">I started with the example code, mkreq.c, as basis.</span></p><p class=""><span class="">I then added some code for </span>adding extension dirName to SAN. </p><p class=""><span class="">"</span></p><p class=""><span class="">X509V3_CTX CTX;</span></p><p class=""><span class="">X509V3_set_ctx_nodb(&CTX);</span></p><p class=""><span class="">X509V3_set_ctx(&CTX, 0, 0, x, 0, 0);</span></p><p class=""><span class="">X509V3_EXT_conf_nid(NULL, CTX, NID_subject_alt_name, "dirName:/C=UK/CN=OpenSSL Group"));</span></p><p class=""><span class="">"</span></p><p class=""><span class="">After initializing X509_REQ *x; </span></p><p class="">The CSR is created. With SAN containing email but w/o dirName. I also added error prints and getting:</p><p class="">"</p>
<p class="">mkreq() add DirName extenion  </p><p class="">Got error: error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value </p><p class="">error code: 570904700 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line 433.</p><p class="">Got error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension </p><p class="">error code: 571048064 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line 93.</p><p class="">error data: name=subjectAltName, value=digitalSignature,keyEncipherment</p><p class="">Got error: error:2208E094:X509 V3 routines:X509V3_get_section:operation not defined </p><p class="">error code: 571007124 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line 400.</p><p class="">Got error: error:22090096:X509 V3 routines:DO_DIRNAME:section not found </p><p class="">error code: 571015318 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line 571.</p><p class="">error data: section=/C=UK/CN=OpenSSL Group</p><p class="">Got error: error:22075095:X509 V3 routines:v2i_GENERAL_NAME_ex:dirname error </p><p class="">error code: 570904725 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line 495.</p><p class="">Got error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension </p><p class="">error code: 571048064 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line 93.</p><p class="">error data: name=subjectAltName, value=dirName:/C=UK/CN=OpenSSL Group</p><div>"</div>
<p class=""><br></p><p class="">Reading the manual I understand I'm not supposed to dirName as simple type value pair (like DNS,IP etc) but rather "point to a section containing the distinguished name to use as a set of name value pairs" (quote manual). </p><p class="">My question is whether my understanding is correct and if so how to perform that programmatically. </p><p class=""><br></p><p class="">Would greatly appreciate help on the matter.</p>








<p class=""><span class="">Thanks!</span></p>
<p class=""><span class="">Yosi</span></p><p class=""><span class=""><br></span></p><p class=""><span class="">For reference, skeleton of source code I'm testing:</span></p><p class="">nt main(int argc, char **argv)</p><p class=""><span class="" style="white-space:pre">    </span>{</p><p class=""><span class="" style="white-space:pre">   </span>BIO *bio_err;</p><p class=""><span class="" style="white-space:pre">       </span>X509_REQ *req=NULL;</p><p class=""><span class="" style="white-space:pre"> </span>EVP_PKEY *pkey=NULL;</p><p class=""><br></p><p class=""><span class="" style="white-space:pre">        </span>CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);</p><p class=""><br></p><p class=""><span class="" style="white-space:pre">       </span>bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);</p><p class=""><br></p><p class=""><span class="" style="white-space:pre">    </span>//loadconf();</p><p class=""><span class="" style="white-space:pre">       </span>mkreq(&req,&pkey,512,0,365);</p><p class=""><br></p><p class=""><span class="" style="white-space:pre">        </span>RSA_print_fp(stdout,pkey->pkey.rsa,0);</p><p class=""><span class="" style="white-space:pre">   </span>X509_REQ_print_fp(stdout,req);</p><p class=""><br></p><p class=""><span class="" style="white-space:pre">      </span>PEM_write_X509_REQ(stdout,req);</p><p class=""><br></p><p class=""><span class="" style="white-space:pre">     </span>X509_REQ_free(req);</p><p class=""><span class="" style="white-space:pre"> </span>EVP_PKEY_free(pkey);</p><p class=""><br></p><p class="">#ifndef OPENSSL_NO_ENGINE</p><p class=""><span class="" style="white-space:pre"> </span>ENGINE_cleanup();</p><p class="">#endif</p><p class=""><span class="" style="white-space:pre">       </span>CRYPTO_cleanup_all_ex_data();</p><p class=""><br></p><p class=""><span class="" style="white-space:pre">       </span>CRYPTO_mem_leaks(bio_err);</p><p class=""><span class="" style="white-space:pre">  </span>BIO_free(bio_err);</p><p class=""><span class="" style="white-space:pre">  </span>return(0);</p><p class=""><span class=""></span></p><p class=""><span class="" style="white-space:pre">        </span>}</p><div><div>int mkreq(X509_REQ **req, EVP_PKEY **pkeyp, int bits, int serial, int days)</div><div><span class="" style="white-space:pre">       </span>{</div><div>    printf("mkreq() called \n");</div><div><span class="" style="white-space:pre">       </span>X509_REQ *x;</div><div><span class="" style="white-space:pre">       </span>EVP_PKEY *pk;</div><div><span class="" style="white-space:pre">      </span>RSA *rsa;</div><div><span class="" style="white-space:pre">  </span>X509_NAME *name=NULL;</div><div><span class="" style="white-space:pre">      </span>STACK_OF(X509_EXTENSION) *exts = NULL;</div><div><span class="" style="white-space:pre">     </span></div><div><span class="" style="white-space:pre">   </span>if ((pk=EVP_PKEY_new()) == NULL)</div><div><span class="" style="white-space:pre">           </span>goto err;</div><div><br></div><div><span class="" style="white-space:pre"> </span>if ((x=X509_REQ_new()) == NULL)</div><div><span class="" style="white-space:pre">            </span>goto err;</div><div><br></div><div><span class="" style="white-space:pre"> </span>rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);</div><div><span class="" style="white-space:pre">   </span>if (!EVP_PKEY_assign_RSA(pk,rsa))</div><div><span class="" style="white-space:pre">          </span>goto err;</div><div><br></div><div><span class="" style="white-space:pre"> </span>rsa=NULL;</div><div><br></div><div><span class="" style="white-space:pre"> </span>X509_REQ_set_pubkey(x,pk);</div><div><br></div><div><span class="" style="white-space:pre">        </span>name=X509_REQ_get_subject_name(x);</div><div><br></div><div><span class="" style="white-space:pre">        </span>/* This function creates and adds the entry, working out the</div><div><span class="" style="white-space:pre">       </span> * correct string type and performing checks on its length.</div><div><span class="" style="white-space:pre">        </span> * Normally we'd check the return value for errors...</div><div><span class="" style="white-space:pre">  </span> */</div><div><span class="" style="white-space:pre">        </span>X509_NAME_add_entry_by_txt(name,"C",</div><div><span class="" style="white-space:pre">                             </span>MBSTRING_ASC, "UK", -1, -1, 0);</div><div><span class="" style="white-space:pre">  </span>X509_NAME_add_entry_by_txt(name,"CN",</div><div><span class="" style="white-space:pre">                            </span>MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);</div><div><br></div><div>#ifdef REQUEST_EXTENSIONS</div><div><span class="" style="white-space:pre">      </span>/* Certificate requests can contain extensions, which can be used</div><div><span class="" style="white-space:pre">  </span> * to indicate the extensions the requestor would like added to </div><div><span class="" style="white-space:pre">  </span> * their certificate. CAs might ignore them however or even choke</div><div><span class="" style="white-space:pre">  </span> * if they are present.</div><div><span class="" style="white-space:pre">    </span> */</div><div><br></div><div><span class="" style="white-space:pre">       </span>/* For request extensions they are all packed in a single attribute.</div><div><span class="" style="white-space:pre">       </span> * We save them in a STACK and add them all at once later...</div><div><span class="" style="white-space:pre">       </span> */</div><div><br></div><div><span class="" style="white-space:pre">       </span>exts = sk_X509_EXTENSION_new_null();</div><div><span class="" style="white-space:pre">       </span>/* Standard extenions */</div><div><br></div><div>    printf("mkreq() add 1st extenion  \n");</div><div><span class="" style="white-space:pre">   </span>add_ext(NULL, exts, NID_key_usage, "critical,digitalSignature,keyEncipherment");</div><div><br></div><div><span class="" style="white-space:pre">        </span>/* This is a typical use for request extensions: requesting a value for</div><div><span class="" style="white-space:pre">    </span> * subject alternative name.</div><div><span class="" style="white-space:pre">       </span> */</div><div><br></div><div>    printf("mkreq() add email extenion  \n");</div><div><span class="" style="white-space:pre">      </span>add_ext(NULL, exts, NID_subject_alt_name, "<a href="mailto:email%3Asteve@openssl.org">email:steve@openssl.org</a>");</div><div><br></div><div>    X509V3_CTX CTX;</div><div>        X509V3_set_ctx_nodb(&CTX);</div><div>X509V3_set_ctx(&CTX, 0, 0, x, 0, 0);</div><div><br></div><div><br></div><div><span class="" style="white-space:pre">        </span>//add_ext(exts, NID_subject_alt_name, "DirName:/C=DE/O=Novell/OU=Security/CN=DUS-LAB-NPS");</div><div>    printf("mkreq() add DirName extenion  \n");</div><div><span class="" style="white-space:pre">   </span>//add_ext(exts, NID_subject_alt_name, "DirName:/CN=DUS-LAB-NPS");</div><div><span class="" style="white-space:pre">        </span>add_ext(&CTX, exts, NID_subject_alt_name, "dirName:/C=UK/CN=OpenSSL Group");</div><div>    printf("mkreq() added DirName extenion  \n");</div><div>    print_errors();</div><div><br></div><div><span class="" style="white-space:pre">       </span>/* Some Netscape specific extensions */</div><div><span class="" style="white-space:pre">    </span>add_ext(NULL, exts, NID_netscape_cert_type, "client,email");</div><div><br></div><div><br></div><div><br></div><div>#ifdef CUSTOM_EXT</div><div><span class="" style="white-space:pre">  </span>/* Maybe even add our own extension based on existing */</div><div><span class="" style="white-space:pre">   </span>{</div><div><span class="" style="white-space:pre">          </span>int nid;</div><div><span class="" style="white-space:pre">           </span>nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");</div><div><span class="" style="white-space:pre">           </span>X509V3_EXT_add_alias(nid, NID_netscape_comment);</div><div><span class="" style="white-space:pre">           </span>add_ext(NULL, x, nid, "example comment alias");</div><div><span class="" style="white-space:pre">  </span>}</div><div>#endif</div><div><br></div><div><span class="" style="white-space:pre">    </span>/* Now we've created the extensions we add them to the request */</div><div><br></div><div><span class="" style="white-space:pre">     </span>X509_REQ_add_extensions(x, exts);</div><div><br></div><div><span class="" style="white-space:pre"> </span>sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);</div><div><br></div><div>#endif</div><div><span class="" style="white-space:pre">       </span></div><div><span class="" style="white-space:pre">   </span>if (!X509_REQ_sign(x,pk,EVP_sha1()))</div><div><span class="" style="white-space:pre">               </span>goto err;</div><div><br></div><div><span class="" style="white-space:pre"> </span>*req=x;</div><div><span class="" style="white-space:pre">    </span>*pkeyp=pk;</div><div><span class="" style="white-space:pre"> </span>return(1);</div><div>err:</div><div><span class="" style="white-space:pre">      </span>return(0);</div><div><span class="" style="white-space:pre"> </span>}</div><div><br></div><div>/* Add extension using V3 code: we can set the config file as NULL</div><div> * because we wont reference any other sections.v3_alt.c</div><div> */</div><div><br></div><div>int add_ext(X509V3_CTX * CTX, STACK_OF(X509_EXTENSION) *sk, int nid, char *value)</div><div><span class="" style="white-space:pre">    </span>{</div><div><span class="" style="white-space:pre">  </span>X509_EXTENSION *ex;</div><div><span class="" style="white-space:pre">        </span>//ex = X509V3_EXT_conf_nid(NULL, CTX, nid, value);</div><div><span class="" style="white-space:pre"> </span>char                     *name = "subjectAltName";</div><div><span class="" style="white-space:pre">     </span>ex = X509V3_EXT_conf(NULL, CTX, name, value);</div><div><span class="" style="white-space:pre">      </span>if (!ex)</div><div><span class="" style="white-space:pre">           </span>return 0;</div><div><span class="" style="white-space:pre">  </span>sk_X509_EXTENSION_push(sk, ex);</div><div><br></div><div><span class="" style="white-space:pre">   </span>return 1;</div><div><span class="" style="white-space:pre">  </span>}</div></div><div><br></div></div>