openssl 3.0 - id2_x509() now fails

Ken Goldman kgoldman at us.ibm.com
Fri Aug 6 22:06:27 UTC 2021


On 8/6/2021 1:11 PM, Ken Goldman wrote:
> I have an application where I have to create a partial x509 certificate.  It gets sent to an HSM, which fills in the public key and signs it.
> 
> I was calling
> 
>      X509_new
>      X509_set_version
>      X509_set_issuer_name
>      X509_get_notBefore
>      X509_get_notAfter
>      X509_set_subject_name
>      X509_EXTENSION_create_by_OBJ
> 
> and then
>      i2d_x509
> to send the serialized partial certificate to the HSM.
> 
> This worked in 1.0.1, 1.0.2, 1.1.1, but fails in 3.0.0.
> 
> In debugging, even this fails.
> 
>      X509_new
>      i2d_x509
> 
> Suggestions?

Following up, I found that just omitting the signature from the
X509 structure causes i2d_x509 to fail.

I tried i2d_re_X509_tbs(), but it also failed.



More information about the openssl-users mailing list