Example code to add several CRL distribution points

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Example code to add several CRL distribution points

Dirk Menstermann
Hi,

can anybody share example code to add more than 1 CRL distribution point to a
certificate?

The below works only for one URI:

X509_EXTENSION *ext = X509V3_EXT_conf_nid (NULL, &v3ctx,
NID_crl_distribution_points, (char*) "URI:http://exmaple.com/crl");
X509_add_ext (certificate, ext, -1);

Thanks a lot
Dirk
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Example code to add several CRL distribution points

Dave Coombs
Hi,

You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs.

Cheers,
  -Dave


> On Nov 22, 2017, at 06:58, Dirk Menstermann <[hidden email]> wrote:
> Hi,
>
> can anybody share example code to add more than 1 CRL distribution point to a
> certificate?
>
> The below works only for one URI:
>
> X509_EXTENSION *ext = X509V3_EXT_conf_nid (NULL, &v3ctx,
> NID_crl_distribution_points, (char*) "URI:http://exmaple.com/crl");
> X509_add_ext (certificate, ext, -1);
>
> Thanks a lot
> Dirk
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Example code to add several CRL distribution points

Dirk Menstermann
Thanks Dave,

It seems that I do something wrong when filling the STACK_OF(DIST_POINT):

X509_NAME_ENTRY *nameEntry = X509_NAME_ENTRY_new();
X509_NAME_ENTRY_set_data (nameEntry, V_ASN1_IA5STRING /*MBSTRING_ASC*/, (const
unsigned char*) "http://example.com/", 19);
                               
STACK_OF (X509_NAME_ENTRY) *nameStack = sk_X509_NAME_ENTRY_new_null();
sk_X509_NAME_ENTRY_push (nameStack, nameEntry);

DIST_POINT *distPoint = DIST_POINT_new();
distPoint->distpoint = DIST_POINT_NAME_new();
distPoint->distpoint->name.relativename = nameStack;
distPoint->distpoint->type = 0;
                               
STACK_OF(DIST_POINT) *distPoints = sk_DIST_POINT_new_null();
sk_DIST_POINT_push (distPoints, distPoint);
X509_EXTENSION *ext = X509V3_EXT_i2d (NID_crl_distribution_points, 0, distPoints);
X509_add_ext (cert, ext, -1);
X509_EXTENSION_free (ext);

The extension will be added, but is empty.

Do you see where it breaks?
Dirk

On 22.11.2017 15:04, Dave Coombs wrote:
> You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Example code to add several CRL distribution points

Dave Coombs
Hi Dirk,

First point: you are populating distpoint->name.relativename (which is a union member) but setting the discriminator distpoint->type to 0, which indicates to use fullname rather than relativename.  So your structure will not be interpreted correctly.

In any case, I think you want to populate fullname, instead of relativename.  You're using a url, not a relative DN.

Make a GENERAL_NAMES, and add to it a GENERAL_NAME whose type is GEN_URI, and whose value (as an IA5String) is the url you want, and then point distpoint->name.fullname at the GENERAL_NAMES.

And, as before, you can do this multiple times and add additional DIST_POINTs.

Good luck,
  -Dave


> On Nov 23, 2017, at 03:54, Dirk Menstermann <[hidden email]> wrote:
> Thanks Dave,
>
> It seems that I do something wrong when filling the STACK_OF(DIST_POINT):
>
> X509_NAME_ENTRY *nameEntry = X509_NAME_ENTRY_new();
> X509_NAME_ENTRY_set_data (nameEntry, V_ASN1_IA5STRING /*MBSTRING_ASC*/, (const
> unsigned char*) "http://example.com/", 19);
>
> STACK_OF (X509_NAME_ENTRY) *nameStack = sk_X509_NAME_ENTRY_new_null();
> sk_X509_NAME_ENTRY_push (nameStack, nameEntry);
>
> DIST_POINT *distPoint = DIST_POINT_new();
> distPoint->distpoint = DIST_POINT_NAME_new();
> distPoint->distpoint->name.relativename = nameStack;
> distPoint->distpoint->type = 0;
>
> STACK_OF(DIST_POINT) *distPoints = sk_DIST_POINT_new_null();
> sk_DIST_POINT_push (distPoints, distPoint);
> X509_EXTENSION *ext = X509V3_EXT_i2d (NID_crl_distribution_points, 0, distPoints);
> X509_add_ext (cert, ext, -1);
> X509_EXTENSION_free (ext);
>
> The extension will be added, but is empty.
>
> Do you see where it breaks?
> Dirk
>
> On 22.11.2017 15:04, Dave Coombs wrote:
>> You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Example code to add several CRL distribution points

Dirk Menstermann
Thanks a lot Dave. That helped.

Bye
Dirk

On 23.11.2017 18:04, Dave Coombs wrote:

> Hi Dirk,
>
> First point: you are populating distpoint->name.relativename (which is a union member) but setting the discriminator distpoint->type to 0, which indicates to use fullname rather than relativename.  So your structure will not be interpreted correctly.
>
> In any case, I think you want to populate fullname, instead of relativename.  You're using a url, not a relative DN.
>
> Make a GENERAL_NAMES, and add to it a GENERAL_NAME whose type is GEN_URI, and whose value (as an IA5String) is the url you want, and then point distpoint->name.fullname at the GENERAL_NAMES.
>
> And, as before, you can do this multiple times and add additional DIST_POINTs.
>
> Good luck,
>   -Dave
>
>
>> On Nov 23, 2017, at 03:54, Dirk Menstermann <[hidden email]> wrote:
>> Thanks Dave,
>>
>> It seems that I do something wrong when filling the STACK_OF(DIST_POINT):
>>
>> X509_NAME_ENTRY *nameEntry = X509_NAME_ENTRY_new();
>> X509_NAME_ENTRY_set_data (nameEntry, V_ASN1_IA5STRING /*MBSTRING_ASC*/, (const
>> unsigned char*) "http://example.com/", 19);
>>
>> STACK_OF (X509_NAME_ENTRY) *nameStack = sk_X509_NAME_ENTRY_new_null();
>> sk_X509_NAME_ENTRY_push (nameStack, nameEntry);
>>
>> DIST_POINT *distPoint = DIST_POINT_new();
>> distPoint->distpoint = DIST_POINT_NAME_new();
>> distPoint->distpoint->name.relativename = nameStack;
>> distPoint->distpoint->type = 0;
>>
>> STACK_OF(DIST_POINT) *distPoints = sk_DIST_POINT_new_null();
>> sk_DIST_POINT_push (distPoints, distPoint);
>> X509_EXTENSION *ext = X509V3_EXT_i2d (NID_crl_distribution_points, 0, distPoints);
>> X509_add_ext (cert, ext, -1);
>> X509_EXTENSION_free (ext);
>>
>> The extension will be added, but is empty.
>>
>> Do you see where it breaks?
>> Dirk
>>
>> On 22.11.2017 15:04, Dave Coombs wrote:
>>> You can use X509V3_EXT_i2d(NID_crl_distribution_points, critical, sk) where sk is a STACK_OF(DIST_POINT) that you have previously filled with multiple URIs.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users