On Fri, 2021-08-06 at 18:06 -0400, Ken Goldman wrote: > On 8/6/2021 1:11 PM, Ken Goldman wrote: > > I have an application where I have to create a partial x509 > > certificate. It gets sent to an HSM, which fills in the public key > > and signs it. > > > > I was calling > > > > X509_new > > X509_set_version > > X509_set_issuer_name > > X509_get_notBefore > > X509_get_notAfter > > X509_set_subject_name > > X509_EXTENSION_create_by_OBJ > > > > and then > > i2d_x509 > > to send the serialized partial certificate to the HSM. > > > > This worked in 1.0.1, 1.0.2, 1.1.1, but fails in 3.0.0. > > > > In debugging, even this fails. > > > > X509_new > > i2d_x509 > > > > Suggestions? > > Following up, I found that just omitting the signature from the > X509 structure causes i2d_x509 to fail. > > I tried i2d_re_X509_tbs(), but it also failed. I am afraid with the current 3.0 codebase there are not many options how to workaround apart from either signing the certificate with a bogus key - if the HSM is able to re-sign such certificate. Another (more complicated) option would be to define your own ASN.1 X509 structure where the signature would be optional and thus the stricter encoder that is now in 3.0 codebase would allow encoding the incomplete certificate. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]
