This (of course) worked. I have three further questions. 1 - Am I correct that "data" points to the internal structure, and so "skid" should not be freed until I'm done with "data"? 2 - For my education, I thought that d2i calls converted from DER to openssl internal format. Yet, the input "subject" is an X509*, the internal format. 3 - Are these calls documented? They're not in my usual starting point https://www.openssl.org/docs/man1.0.1/crypto/ nor are they on the X509 page. On 9/22/2015 1:25 AM, Viktor Dukhovni wrote: > On Mon, Sep 21, 2015 at 06:29:02PM -0400, Ken Goldman wrote: > >> How can I programmatically get the Subject Key Identifier as a byte array >> from an X509 certificate. > > Unless I'm mistaken: > > size_t len; > unsigned char *data; > ASN1_OCTET_STRING *skid; > > skid = X509_get_ext_d2i(subject, NID_subject_key_identifier, NULL, NULL); > len = ASN1_STRING_length(skid); > data = ASN1_STRING_data(skid); > > ... Take unspeakable liberties with "data" and "len" ... > > ASN1_OCTET_STRING_free(skid); >
