[openssl-users] Porting to OpenSSL 1.1

Matt Caswell matt at openssl.org
Mon Oct 10 23:19:11 UTC 2016

On 10/10/16 23:56, Bernhard Rosenkraenzer wrote:
> Hi,
> I'm porting some code to OpenSSL 1.1 -- for the most part, it's going
> well, but there's some things I'm not sure about:
> - What replaces a direct access to "sha1_hash" in an X509? (found in Qt 5.7)

You could use X509_digest() to calculate this value.

> So far, haven't come up with a proper alternative to this. Should the
> code be refactored to use X509_issuer_and_serial_hash (which isn't quite
> the same, but should still give a unique hash)?
> [this is from qHash -- so the purpose really is to get a unique hash of
> the contents]
> - What's the best way to copy an EVP_PKEY?

Do you really need a *copy*? EVP_PKEYs are ref counted, so normally you
just get a new ref using EVP_PKEY_up_ref().

> Also from Qt 5.7:
> rsa = RSA_new();
> memcpy(rsa, EVP_PKEY_get1_RSA(pkey), sizeof(RSA));

Again, do you really need a *copy*? RSA objects are ref-counted.
EVP_PKEY_get1_RSA() gets you a new ref on the RSA.

> [breaks because sizeof(RSA) is no longer known]
> for EC, there's EC_KEY_dup -- for RSA and DSA, not so much.
> - What's the proper successor to NETSCAPE_X509? (from kdelibs4support)
> I presume this (the method KSSLCertificate::toNetscape()) can just be
> deleted because nothing should be using Netscape x509 anymore?

This is an obsolete format that is no longer used so there is no
successor. It was removed in commit 0bc2f3655.


More information about the openssl-users mailing list