On Tue, Sep 22, 2015 at 09:22:09AM -0400, Ken Goldman wrote: > 1 - Am I correct that "data" points to the internal structure, and so "skid" > should not be freed until I'm done with "data"? Correct. The "data" element is part of the ASN1_STRING (of type ASN1_OCTET_STRING). > 2 - For my education, I thought that d2i calls converted from DER to openssl > internal format. Yet, the input "subject" is an X509*, the internal format. While the certificate object is already decoded, its extensions are not, they are stored in DER form, and you need to extract them via suitable decoding routines. > 3 - Are these calls documented? They're not in my usual starting point > > https://www.openssl.org/docs/man1.0.1/crypto/ > > nor are they on the X509 page. Sadly, they're not. Please open a ticket that requests these be documented. There's a tiny example in doc/HOWTO/proxy_certificates.txt but it does not amount to documentation of the interface. If you're really feeling generous, write the document. The underlying interface is in crypto/x509v3/v3_lib.c: /*- * Get critical flag and decoded version of extension from a NID. * The "idx" variable returns the last found extension and can * be used to retrieve multiple extensions of the same NID. * However multiple extensions with the same NID is usually * due to a badly encoded certificate so if idx is NULL we * choke if multiple extensions exist. * The "crit" variable is set to the critical value. * The return value is the decoded extension or NULL on * error. The actual error can have several different causes, * the value of *crit reflects the cause: * >= 0, extension found but not decoded (reflects critical value). * -1 extension not found. * -2 extension occurs more than once. */ void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) Only certain "standard" extensions have default "d2i" methods. The list is in: static const X509V3_EXT_METHOD *standard_exts[] in the same file, but some legacy NetScape extensions are defined in crypto/x509v3/v3_ia5.c: const X509V3_EXT_METHOD v3_ns_ia5_list[] -- Viktor.
