<div dir="ltr"><div>Sorry, I was just frustrated that the changes to OpenSSL 1.1.1 broke code which worked for nearly 15 years, by denying access to previously accessible C structs.</div><div><br></div>I was able to use OpenSSL to generate a certificate with a subject containing the x500UniqueIdentifier attribute as a pure ASN.1 BIT STRING, as you can see with the following snippet from OpenSSL asn1parse.<div><br></div><div><font color="#ff00ff"> ___:d=5 hl=2 l= 3 prim: OBJECT :x500UniqueIdentifier<br> ___:d=5 hl=2 l= 16 prim: BIT STRING</font> <br></div><div><br></div><div>Are you sure that the ASN.1 BIT STRING value is really stored as an ASN.1 STRING in a X500_NAME_ENTRY, when it is a binary value and not a text value?</div><div><br></div><div>Regardless, I did try this as you helpfully suggested:</div><div><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>(X509_NAME_ENTRY_get_data (nameEntry)->flags) |= (ASN1_STRING_FLAG_BITS_LEFT | i);</div></blockquote><div><br></div><div>And it seems to be working properly for x500UniqueIdentifer attribute, without any errors I can find during compile or in the content of the resulting certificates.</div><div><br></div><div>Thank you very much for your assistance.</div><div><br></div><div>Lisa.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 18 Jun 2019 at 12:30, Viktor Dukhovni <<a href="mailto:openssl-users@dukhovni.org">openssl-users@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, Jun 18, 2019 at 07:16:46AM -0700, Lisa Matias wrote:<br>
<br>
> If you look here:<br>
> <br>
> <a href="https://www.openssl.org/docs/man1.1.0/man3/X509_NAME_ENTRY_get_data.html" rel="noreferrer" target="_blank">https://www.openssl.org/docs/man1.1.0/man3/X509_NAME_ENTRY_get_data.html</a><br>
> <br>
> It states:<br>
> <br>
> *X509_NAME_ENTRY_get_data() retrieves the field value of ne in<br>
> and ASN1_STRING structure.*<br>
<br>
Regardless of the entry type, the underlying value is always stored<br>
as an ASN.1 string.<br>
<br>
struct X509_name_entry_st {<br>
ASN1_OBJECT *object; /* AttributeType */<br>
ASN1_STRING *value; /* AttributeValue */<br>
int set; /* index of RDNSequence for this entry */<br>
int size; /* temp variable */<br>
};<br>
<br>
The flags you're looking for are associated with the ASN.1 string.<br>
To indicate that it is a bit-string you set:<br>
<br>
value->flags |= ASN1_STRING_FLAG_BITS_LEFT | i<br>
<br>
where "i" is the number of unused bits in the final octet.<br>
<br>
> Unfortunately this does not work for any non-string X.500 attributes such<br>
> as x500UniqueIdentifer which is defined as an ASN.1 BIT STRING.<br>
<br>
Actually, it does.<br>
<br>
-- <br>
Viktor.<br>
</blockquote></div>