how to set flags in X509_NAME_ENTRY in OpenSSL 1.1.1

Lisa Matias lisa.matias at gmail.com
Tue Jun 18 21:27:30 UTC 2019 

Sorry, I was just frustrated that the changes to OpenSSL 1.1.1 broke code
which worked for nearly 15 years, by denying access to previously
accessible C structs.

I was able to use OpenSSL to generate a certificate with a subject
containing the x500UniqueIdentifier attribute as a pure ASN.1 BIT STRING,
as you can see with the following snippet from OpenSSL asn1parse.

  ___:d=5  hl=2 l=   3 prim: OBJECT            :x500UniqueIdentifier
  ___:d=5  hl=2 l=  16 prim: BIT STRING

Are you sure that the ASN.1 BIT STRING value is really stored as an ASN.1
STRING in a X500_NAME_ENTRY, when it is a binary value and not a text value?

Regardless, I did try this as you helpfully suggested:

(X509_NAME_ENTRY_get_data (nameEntry)->flags) |=
(ASN1_STRING_FLAG_BITS_LEFT | i);


And it seems to be working properly for x500UniqueIdentifer attribute,
without any errors I can find during compile or in the content of the
resulting certificates.

Thank you very much for your assistance.

Lisa.


On Tue, 18 Jun 2019 at 12:30, Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:

> On Tue, Jun 18, 2019 at 07:16:46AM -0700, Lisa Matias wrote:
>
> > If you look here:
> >
> > https://www.openssl.org/docs/man1.1.0/man3/X509_NAME_ENTRY_get_data.html
> >
> > It states:
> >
> > *X509_NAME_ENTRY_get_data() retrieves the field value of ne in
> > and ASN1_STRING structure.*
>
> Regardless of the entry type, the underlying value is always stored
> as an ASN.1 string.
>
>     struct X509_name_entry_st {
>         ASN1_OBJECT *object;        /* AttributeType */
>         ASN1_STRING *value;         /* AttributeValue */
>         int set;                    /* index of RDNSequence for this entry
> */
>         int size;                   /* temp variable */
>     };
>
> The flags you're looking for are associated with the ASN.1 string.
> To indicate that it is a bit-string you set:
>
>     value->flags |= ASN1_STRING_FLAG_BITS_LEFT | i
>
> where "i" is the number of unused bits in the final octet.
>
> > Unfortunately this does not work for any non-string X.500 attributes such
> > as x500UniqueIdentifer which is defined as an ASN.1 BIT STRING.
>
> Actually, it does.
>
> --
>         Viktor.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190618/e46e974b/attachment.html>

More information about the openssl-users mailing list