Re: NULL first parameter of X509V3_EXT_conf?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 17, 2024 at 12:59:03AM +0200, Matěj Cepl wrote:

>     X509.new_extension('subjectKeyIdentifier', sub_key_id)
>     print('This next bit seq faults.')
>     X509.new_extension('authorityKeyIdentifier', 'keyid')

It would be helpful to post the code behind the `new_extension' method,

> X509.new_extension() is just a very thin layer over
> X509V3_EXT_conf()

That is, in more detail than the much too terse sentence above.

> and it seems that OpenSSL crashes in this
> function when it is called for the second time with the first
> parameter (`conf`) set to `NULL`.

The `conf` argument to this (deprecated legacy) function is expected to
a parsed configuration (as an LHASH table), which in principle can be
filled in via, e.g.,

    LHASH_OF(CONF_VALUE) *CONF_load(LHASH_OF(CONF_VALUE) *conf, const char *file,
                                    long *eline)

however, that function expects you to pass in a (typically initially
empty) hash table, and here you're on your own:

    #include <openssl/conf.h>

    LHASH_OF(CONF_VALUE) *lh = lh_CONF_VALUE_new(<hash_func>, <cmp_func>);

so you'd need to provide the hash and comparison functions for a
CONF_VALUE...

But this is of course heading in the wrong direction.  You should not be
using the never documented and deprecated X509V3_EXT_conf() in the first
place.

> Any idea what I am missing?

You can start by switching to X509V3_EXT_nconf(), which should tolerate
a NULL `conf` argument, if your extension is self-contained, and needs
no supporting configuration.

In some cases, you don't need either conf or nconf.  For example:

    https://github.com/vdukhovni/postfix/blob/090083cc2fe397a8a1946b7bcbfa7a341d4b5595/postfix/src/tls/tls_dane.c#L1273-L1354

When you do need conf settings from some file, consider:

    https://github.com/openssl/openssl/blob/27abf142f640cf175e7690529660ebeb9a3875a9/apps/x509.c#L717-L731
    https://github.com/openssl/openssl/blob/27abf142f640cf175e7690529660ebeb9a3875a9/apps/lib/apps.c#L406-L421
    https://github.com/openssl/openssl/blob/27abf142f640cf175e7690529660ebeb9a3875a9/apps/lib/apps.c#L369-L393

Where the work is ultimately done by NCONF_new_ex() and
NCONF_load_bio(), with a suitable BIO open for the config file.

-- 
    Viktor.

-- 
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/ZukS9v1s4D8wdTUo%40chardros.imrryr.org.




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux