On Tue, Sep 17, 2024 at 12:59:03AM +0200, Matěj Cepl wrote: > X509.new_extension('subjectKeyIdentifier', sub_key_id) > print('This next bit seq faults.') > X509.new_extension('authorityKeyIdentifier', 'keyid') It would be helpful to post the code behind the `new_extension' method, > X509.new_extension() is just a very thin layer over > X509V3_EXT_conf() That is, in more detail than the much too terse sentence above. > and it seems that OpenSSL crashes in this > function when it is called for the second time with the first > parameter (`conf`) set to `NULL`. The `conf` argument to this (deprecated legacy) function is expected to a parsed configuration (as an LHASH table), which in principle can be filled in via, e.g., LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file, long *eline) however, that function expects you to pass in a (typically initially empty) hash table, and here you're on your own: #include <openssl/conf.h> LHASH_OF(CONF_VALUE) *lh = lh_CONF_VALUE_new(<hash_func>, <cmp_func>); so you'd need to provide the hash and comparison functions for a CONF_VALUE... But this is of course heading in the wrong direction. You should not be using the never documented and deprecated X509V3_EXT_conf() in the first place. > Any idea what I am missing? You can start by switching to X509V3_EXT_nconf(), which should tolerate a NULL `conf` argument, if your extension is self-contained, and needs no supporting configuration. In some cases, you don't need either conf or nconf. For example: https://github.com/vdukhovni/postfix/blob/090083cc2fe397a8a1946b7bcbfa7a341d4b5595/postfix/src/tls/tls_dane.c#L1273-L1354 When you do need conf settings from some file, consider: https://github.com/openssl/openssl/blob/27abf142f640cf175e7690529660ebeb9a3875a9/apps/x509.c#L717-L731 https://github.com/openssl/openssl/blob/27abf142f640cf175e7690529660ebeb9a3875a9/apps/lib/apps.c#L406-L421 https://github.com/openssl/openssl/blob/27abf142f640cf175e7690529660ebeb9a3875a9/apps/lib/apps.c#L369-L393 Where the work is ultimately done by NCONF_new_ex() and NCONF_load_bio(), with a suitable BIO open for the config file. -- Viktor. -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/ZukS9v1s4D8wdTUo%40chardros.imrryr.org.