<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">On 18 Mar 2019, at 22:27, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org" class="">openssl-users@dukhovni.org</a>> wrote:<div class=""><br class=""><div><blockquote type="cite" class=""><div class=""><div class=""><blockquote type="cite" class="">(Even in the 1.1 API, where they are opaque, i2d_re_X509_REQ_tbs will encode a given X509_REQ's X509_REQ_INFO for you.)<br class=""></blockquote><br class="">Yes, i2d_re_X509_REQ_tbs is the key function for constructing the<br class="">"to be signed" (tbs) request:<br class=""><br class="">  int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)<br class="">  {<br class="">      req->req_info.enc.modified = 1;<br class="">      return i2d_X509_REQ_INFO(&req->req_info, pp);<br class="">  }<br class=""><br class="">By setting the "modified" bit, it ensures that the DER representation<br class="">will be re-generated with any changes made to the object.<br class=""><br class="">So the OP can create the "partially filled in" X509_REQ and then call<br class="">i2d_re_X509_REQ_tbs() function to generate the DER CRI blob to sign. <br class="">This removes any temptation to "cheat" by just casting the (X509_REQ *)<br class="">as an (X509_REQ_INFO *) and calling i2d_X509_REQ_INFO() on that (first<br class="">member of the X509_REQ structure).  The i2d_re_X509_REQ_tbs() function<br class="">achieves the same effect in a type safe supported manner.<br class=""></div></div></blockquote><div><br class=""></div><div>Can you confirm what structure is being encoded by i2d_re_X509_REQ_tbs, is this a X509_REQ_INFO?</div><div><br class=""></div><div>The man page doesn’t explicitly specify the output formats of any of the related functions:</div><div><br class=""></div><div><a href="https://www.openssl.org/docs/man1.1.1/man3/i2d_re_X509_REQ_tbs.html" class="">https://www.openssl.org/docs/man1.1.1/man3/i2d_re_X509_REQ_tbs.html</a></div><div><br class=""></div><div>Looking at the source, we have X509_REQ_INFO being returned:</div><div><br class=""></div><div><div style="margin: 0px; font-stretch: normal; font-size: 10px; line-height: normal; font-family: Monaco;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">int </span><span style="font-variant-ligatures: no-common-ligatures; color: #ffffff; background-color: #000000" class="">i2d_re_X509_REQ_tbs</span><span style="font-variant-ligatures: no-common-ligatures" class="">(X509_REQ *req, unsigned char **pp)</span></div><div style="margin: 0px; font-stretch: normal; font-size: 10px; line-height: normal; font-family: Monaco;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">{</span></div><div style="margin: 0px; font-stretch: normal; font-size: 10px; line-height: normal; font-family: Monaco;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">    req->req_info.enc.modified = 1;</span></div><div style="margin: 0px; font-stretch: normal; font-size: 10px; line-height: normal; font-family: Monaco;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">    return i2d_X509_REQ_INFO(&req->req_info, pp);</span></div><div style="margin: 0px; font-stretch: normal; font-size: 10px; line-height: normal; font-family: Monaco;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">}</span></div><div class=""><br class=""></div></div><div>What would the corresponding functions need to be in the openssl v1.0.x world to achieve the same output as i2d_re_X509_REQ_tbs?</div><div><br class=""></div><div>Would it just be to copy the above code in?</div><div><br class=""></div><div>Regards,</div><div>Graham</div><div>—</div><div><br class=""></div></div></div></body></html>