[openssl-users] X509 subject key identifier
openssl-users at dukhovni.org
Tue Sep 22 14:31:14 UTC 2015
On Tue, Sep 22, 2015 at 09:22:09AM -0400, Ken Goldman wrote:
> 1 - Am I correct that "data" points to the internal structure, and so "skid"
> should not be freed until I'm done with "data"?
Correct. The "data" element is part of the ASN1_STRING (of type
> 2 - For my education, I thought that d2i calls converted from DER to openssl
> internal format. Yet, the input "subject" is an X509*, the internal format.
While the certificate object is already decoded, its extensions are not,
they are stored in DER form, and you need to extract them via suitable
> 3 - Are these calls documented? They're not in my usual starting point
> nor are they on the X509 page.
Sadly, they're not. Please open a ticket that requests these be
documented. There's a tiny example in
but it does not amount to documentation of the interface.
If you're really feeling generous, write the document.
The underlying interface is in crypto/x509v3/v3_lib.c:
* Get critical flag and decoded version of extension from a NID.
* The "idx" variable returns the last found extension and can
* be used to retrieve multiple extensions of the same NID.
* However multiple extensions with the same NID is usually
* due to a badly encoded certificate so if idx is NULL we
* choke if multiple extensions exist.
* The "crit" variable is set to the critical value.
* The return value is the decoded extension or NULL on
* error. The actual error can have several different causes,
* the value of *crit reflects the cause:
* >= 0, extension found but not decoded (reflects critical value).
* -1 extension not found.
* -2 extension occurs more than once.
void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
Only certain "standard" extensions have default "d2i" methods. The list
static const X509V3_EXT_METHOD *standard_exts
in the same file, but some legacy NetScape extensions are
defined in crypto/x509v3/v3_ia5.c:
const X509V3_EXT_METHOD v3_ns_ia5_list
More information about the openssl-users