[openssl-users] Help finding replacement for ASN1_seq_unpack_X509

Dr. Stephen Henson steve at openssl.org
Thu Jul 21 13:52:38 UTC 2016

On Wed, Jul 20, 2016, Jim Carroll wrote:

> Thanks much....I have a corollary question if you don't mind.  In OpenSSL
> 1.1.0, what is the accepted procedure to convert a STACK_OF(X509) to DER?

It depends on what you mean by "to DER" and what the other ends is expecting.

The code snipped I suggested will do that: if you call i2d_SEQ_CERT (or
whatever you called it) that will work. That wraps the whole lot in a SEQUENCE
header which is the same as the original. That is it is a SEQUENCE OF X509.

> Would it be acceptable to just iterate the stack elements, passing each X509
> through i2d_X509 and appending the results -- would that generate valid DER?
> Is there a better way?

It depends on what the other side expects. If you just do that that and EOF
signals the and of the last certificate you'll be fine. If you append
additional data afterwards then you need to mark the last certificate somehow.
The certificate sequence version prepends the data with the length of all the
certificates so it automatically handles that.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list