[openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

Howard Chu via RT rt at openssl.org
Fri Jan 29 19:14:50 UTC 2016


Stephen Henson via RT wrote:
> On Fri Jan 29 17:35:05 2016, steve wrote:
>> On Fri Jan 29 15:08:47 2016, hyc at highlandsun.com wrote:
>>> Howard Chu via RT wrote:
>>>> In OpenLDAP we reference X509_NAME->bytes->data directly, we want
>>>> the
>>>> DER
>>>> bytes which we then pass thru our own DN validator/formatter. This
>>>> no
>>>> longer
>>>> works with OpenSSL 1.1 and I don't see any provided method to
>>>> return
>>>> the DER
>>>> bytes. I don't want a malloc'd copy, I just want read-only access
>>>> to
>>>> the bytes
>>>> already cached inside the X509_NAME structure.
>>>>
>>>> The attached patch would be sufficient to meet this requirement.
>>>
>>> We are tracking this here as well:
>>>
>>> http://www.openldap.org/its/index.cgi/Development?id=8353
>>
>>
>> I'd rather we didn't return a pointer to the internal BUF_MEM as we
>> might want
>> to change that at some point.
>>
>> Would a function like:
>>
>> int X509_NAME_der(const X509_NAME *nm, const char **pder);
>>
>> be suitable for your needs?
>>
>
> Thinking about it a better name for comply with our naming convention would be
> X509_NAME_get0_der.

Just to be clear - in our use case we already know the length. But if the 
function you're proposing is returning only a success/error code, then the 
function should probably also provide the length as a return parameter, for 
more general users.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/




More information about the openssl-dev mailing list