Hi, I'm trying to add extension dirName to SAN in CSR programmatically. I started with the example code, mkreq.c, as basis. I then added some code for adding extension dirName to SAN. " X509V3_CTX CTX; X509V3_set_ctx_nodb(&CTX); X509V3_set_ctx(&CTX, 0, 0, x, 0, 0); X509V3_EXT_conf_nid(NULL, CTX, NID_subject_alt_name, "dirName:/C=UK/CN=OpenSSL Group")); " After initializing X509_REQ *x; The CSR is created. With SAN containing email but w/o dirName. I also added error prints and getting: " mkreq() add DirName extenion Got error: error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value error code: 570904700 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line 433. Got error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension error code: 571048064 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line 93. error data: name=subjectAltName, value=digitalSignature,keyEncipherment Got error: error:2208E094:X509 V3 routines:X509V3_get_section:operation not defined error code: 571007124 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line 400. Got error: error:22090096:X509 V3 routines:DO_DIRNAME:section not found error code: 571015318 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line 571. error data: section=/C=UK/CN=OpenSSL Group Got error: error:22075095:X509 V3 routines:v2i_GENERAL_NAME_ex:dirname error error code: 570904725 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line 495. Got error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension error code: 571048064 in /SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line 93. error data: name=subjectAltName, value=dirName:/C=UK/CN=OpenSSL Group " Reading the manual I understand I'm not supposed to dirName as simple type value pair (like DNS,IP etc) but rather "point to a section containing the distinguished name to use as a set of name value pairs" (quote manual). My question is whether my understanding is correct and if so how to perform that programmatically. Would greatly appreciate help on the matter. Thanks! Yosi For reference, skeleton of source code I'm testing: nt main(int argc, char **argv) { BIO *bio_err; X509_REQ *req=NULL; EVP_PKEY *pkey=NULL; CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); bio_err=BIO_new_fp(stderr, BIO_NOCLOSE); //loadconf(); mkreq(&req,&pkey,512,0,365); RSA_print_fp(stdout,pkey->pkey.rsa,0); X509_REQ_print_fp(stdout,req); PEM_write_X509_REQ(stdout,req); X509_REQ_free(req); EVP_PKEY_free(pkey); #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(bio_err); BIO_free(bio_err); return(0); } int mkreq(X509_REQ **req, EVP_PKEY **pkeyp, int bits, int serial, int days) { printf("mkreq() called \n"); X509_REQ *x; EVP_PKEY *pk; RSA *rsa; X509_NAME *name=NULL; STACK_OF(X509_EXTENSION) *exts = NULL; if ((pk=EVP_PKEY_new()) == NULL) goto err; if ((x=X509_REQ_new()) == NULL) goto err; rsa=RSA_generate_key(bits,RSA_F4,callback,NULL); if (!EVP_PKEY_assign_RSA(pk,rsa)) goto err; rsa=NULL; X509_REQ_set_pubkey(x,pk); name=X509_REQ_get_subject_name(x); /* This function creates and adds the entry, working out the * correct string type and performing checks on its length. * Normally we'd check the return value for errors... */ X509_NAME_add_entry_by_txt(name,"C", MBSTRING_ASC, "UK", -1, -1, 0); X509_NAME_add_entry_by_txt(name,"CN", MBSTRING_ASC, "OpenSSL Group", -1, -1, 0); #ifdef REQUEST_EXTENSIONS /* Certificate requests can contain extensions, which can be used * to indicate the extensions the requestor would like added to * their certificate. CAs might ignore them however or even choke * if they are present. */ /* For request extensions they are all packed in a single attribute. * We save them in a STACK and add them all at once later... */ exts = sk_X509_EXTENSION_new_null(); /* Standard extenions */ printf("mkreq() add 1st extenion \n"); add_ext(NULL, exts, NID_key_usage, "critical,digitalSignature,keyEncipherment"); /* This is a typical use for request extensions: requesting a value for * subject alternative name. */ printf("mkreq() add email extenion \n"); add_ext(NULL, exts, NID_subject_alt_name, "email:steve at openssl.org"); X509V3_CTX CTX; X509V3_set_ctx_nodb(&CTX); X509V3_set_ctx(&CTX, 0, 0, x, 0, 0); //add_ext(exts, NID_subject_alt_name, "DirName:/C=DE/O=Novell/OU=Security/CN=DUS-LAB-NPS"); printf("mkreq() add DirName extenion \n"); //add_ext(exts, NID_subject_alt_name, "DirName:/CN=DUS-LAB-NPS"); add_ext(&CTX, exts, NID_subject_alt_name, "dirName:/C=UK/CN=OpenSSL Group"); printf("mkreq() added DirName extenion \n"); print_errors(); /* Some Netscape specific extensions */ add_ext(NULL, exts, NID_netscape_cert_type, "client,email"); #ifdef CUSTOM_EXT /* Maybe even add our own extension based on existing */ { int nid; nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension"); X509V3_EXT_add_alias(nid, NID_netscape_comment); add_ext(NULL, x, nid, "example comment alias"); } #endif /* Now we've created the extensions we add them to the request */ X509_REQ_add_extensions(x, exts); sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); #endif if (!X509_REQ_sign(x,pk,EVP_sha1())) goto err; *req=x; *pkeyp=pk; return(1); err: return(0); } /* Add extension using V3 code: we can set the config file as NULL * because we wont reference any other sections.v3_alt.c */ int add_ext(X509V3_CTX * CTX, STACK_OF(X509_EXTENSION) *sk, int nid, char *value) { X509_EXTENSION *ex; //ex = X509V3_EXT_conf_nid(NULL, CTX, nid, value); char *name = "subjectAltName"; ex = X509V3_EXT_conf(NULL, CTX, name, value); if (!ex) return 0; sk_X509_EXTENSION_push(sk, ex); return 1; } -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150506/9d3a333f/attachment-0001.html>