how to set flags in X509_NAME_ENTRY in OpenSSL 1.1.1

Lisa Matias lisa.matias at
Tue Jun 18 14:16:46 UTC 2019

If you look here:

It states:

*X509_NAME_ENTRY_get_data() retrieves the field value of ne in
and ASN1_STRING structure.*

Unfortunately this does not work for any non-string X.500 attributes such
as x500UniqueIdentifer which is defined as an ASN.1 BIT STRING.

I am only looking to fix in OpenSSL 1.1.1, what was previously working in
all older versions of OpenSSL all the way back to 0.9.7 which included a
way to support non-string attributes in X509_NAME_ENTRY.



On Mon, 17 Jun 2019 at 22:37, Viktor Dukhovni <openssl-users at>

> On Mon, Jun 17, 2019 at 09:19:41PM -0700, Lisa Matias wrote:
> > X509_NAME_ENTRY *nameEntry;
> > nameEntry = X509_NAME_ENTRY_create_by_NID (&nameEntry, nid,
> >                         derTagToVType (tag), buffer, bufferLength);
> > *nameEntry->value->flags = specifiedFlags;*
> Can you be a bit more explicit about why you need to do this?
> What flags do you intend to set and why?
> That said, you can use:
>     ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne);
> to get the ASN1_STRING holding the value, and since ASN1_STRINGs
> are not opaque types, you can just use:
>         value->flags = ...
> asuming that's a sensible thing to do.  You may however be straying
> into undocumented behaviour, and so it might be good to know whether
> perhaps there's a better way of getting the result you actually want.
> --
>         Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list