[openssl-users] X509 subject key identifier

Ken Goldman kgoldman at us.ibm.com
Tue Sep 22 13:22:09 UTC 2015

This (of course) worked.  I have three further questions.

1 - Am I correct that "data" points to the internal structure, and so 
"skid" should not be freed until I'm done with "data"?

2 - For my education, I thought that d2i calls converted from DER to 
openssl internal format.  Yet, the input "subject" is an X509*, the 
internal format.

3 - Are these calls documented?  They're not in my usual starting point


nor are they on the X509 page.

On 9/22/2015 1:25 AM, Viktor Dukhovni wrote:
> On Mon, Sep 21, 2015 at 06:29:02PM -0400, Ken Goldman wrote:
>> How can I programmatically get the Subject Key Identifier as a byte array
>> from an X509 certificate.
> Unless I'm mistaken:
>      size_t len;
>      unsigned char *data;
>      ASN1_OCTET_STRING *skid;
>      skid = X509_get_ext_d2i(subject, NID_subject_key_identifier, NULL, NULL);
>      len = ASN1_STRING_length(skid);
>      data = ASN1_STRING_data(skid);
>      ... Take unspeakable liberties with "data" and "len" ...
>      ASN1_OCTET_STRING_free(skid);

More information about the openssl-users mailing list