how to set flags in X509_NAME_ENTRY in OpenSSL 1.1.1

Viktor Dukhovni openssl-users at
Tue Jun 18 21:43:16 UTC 2019

On Tue, Jun 18, 2019 at 02:27:30PM -0700, Lisa Matias wrote:

> Sorry, I was just frustrated that the changes to OpenSSL 1.1.1 broke code
> which worked for nearly 15 years, by denying access to previously
> accessible C structs.

Those changes are needed to make sure that future changes in the
internals DO NOT break your code.  The internal data layout would
ideally not have been exposed the first place, but my time-machine
is out of order...

> Are you sure that the ASN.1 BIT STRING value is really stored as an ASN.1
> STRING in a X500_NAME_ENTRY, when it is a binary value and not a text value?

Yes, it is stored as ASN.1 string, which is just a buffer with a length,
but also has:

    struct asn1_string_st {
	int length;
	int type;
	unsigned char *data;
	 * The value of the following field depends on the type being held.  It
	 * is mostly being used for BIT_STRING so if the input data has a
	 * non-zero 'unused bits' value, it will be handled correctly
	long flags;

a type field (the NID for the associated OID) and flags as noted
in the comment.

> Regardless, I did try this as you helpfully suggested:
> (X509_NAME_ENTRY_get_data (nameEntry)->flags) |=
> And it seems to be working properly for x500UniqueIdentifer attribute,
> without any errors I can find during compile or in the content of the
> resulting certificates.
> Thank you very much for your assistance.

You're welcome, that is the correct technique at present.  We should
perhaps provide getter/setter functions for the flags, or perhaps
even a specific function for indicating the value is a bitstring,
and how many bits it holds.  For now the ASN.1 string is not an
opaque structure.


More information about the openssl-users mailing list