Setter methods for X509_REQ signature attributes

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Setter methods for X509_REQ signature attributes

OpenSSL - User mailing list
Hello,

I want to use OpenSSL to create an X509 request where the signature has
been calculated by an external device (ATMEL ATECC508A).  With OpenSSL
1.0 I used

        X509_REQ *req;

        req = X509_REQ_new();

        algor = X509_ALGOR_new();
        algor->algorithm = OBJ_nid2obj(NID_ecdsa_with_SHA256);
        X509_ALGOR_free(req->sig_alg);
        req->sig_alg = algor;

        ASN1_BIT_STRING_set(req->signature, asn1sig, asn1len);
        req->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
        req->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;


How can I port this code to OpenSSL 1.1?  There do not seem to exist
setter methods for 'sig_alg' or 'signature'.

I could use X509_REQ_get0_signature(), cast away the 'const' from the
returned pointers and modify them.  But this would be hacky and not
portable.

What is the recommended way to create an X509 REQ with OpenSSL 1.1 when
all the crypto has been done in the outside and I need only the ASN.1
structure?

Would it be possible to add setter methods for 'sig_alg' and 'signature'?


Thanks
Enrico
Reply | Threaded
Open this post in threaded view
|

Re: Setter methods for X509_REQ signature attributes

Viktor Dukhovni
On Thu, Apr 04, 2019 at 01:26:01PM +0200, Enrico Scholz via openssl-users wrote:

> What is the recommended way to create an X509 REQ with OpenSSL 1.1 when
> all the crypto has been done in the outside and I need only the ASN.1
> structure?

See also the related:

        https://github.com/openssl/openssl/issues/8553
        https://github.com/openssl/openssl/issues/8514
        http://openssl.6102.n7.nabble.com/i2d-X509-REQ-gt-d2i-X509-REQ-asn1-encoding-routines-c2i-ASN1-OBJECT-invalid-object-encoding-a-object7-td76251.html

> Would it be possible to add setter methods for 'sig_alg' and 'signature'?

New setter methods are probably needed.  For now all you can do is
obtain the DER encoding of the X509_REQ_INFO, and creat from it the
DER encoding of the enclosing X509_REQ, by prepending a sequence
tag and length, and appending the signature OID, any parameters and
signature.  You can then, if desired, recover an X509_REQ object
via d2i_X509_REQ.

--
        Viktor.