OpenSSL x509证书:使用X509_add1_ext_i2d()添加扩展 [英] OpenSSL x509 Certificate: Add Extension with X509_add1_ext_i2d()

问题描述

我正在使用OpenSSL中的API生成x509证书.我首先创建这样的X509结构:

I'm generating an x509 Certificate using APIs in OpenSSL. I first create the X509 structure like this:

X509 *x509 = X509_new();   // Assume no errors

---

我正在尝试做的事情:

现在，我想为此证书添加扩展名.具体来说，我想将扩展密钥用法"扩展名设置为值serverAuth,clientAuth.为此，我尝试使用具有以下签名的OpenSSL函数x509_add1_ext_i2d():

---

What I'm trying to do:

Now I want to add an extension to this Certificate. Specifically, I want to set the "Extended Key Usage" extension to the value serverAuth,clientAuth. To do this, I am attempting to use the OpenSSL function x509_add1_ext_i2d(), which has the following signature:

X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags)

我正在调用传递value的C字符串的函数，我认为这是不正确的.这是我正在拨打的电话:

I'm calling that function passing a C-String for value, which I assume is not correct. Here's the call I'm making:

X509_add1_ext_i2d(x509, NID_ext_key_usage, "serverAuth,clientAuth", 0, 0)

---

发生了什么事

该行代码运行时出现EXC_BAD_ACCESS (code=EXC_i386_GPFLT)异常.我假设这是因为我传递的value必须是某种特殊的东西(八位位组字符串?某种其他OpenSSL值?)

---

What's Happening:

I'm getting an EXC_BAD_ACCESS (code=EXC_i386_GPFLT) exception when that line of code runs. I'm assuming that's because the value I pass in has to be some sort of special thing (an octet string? Some sort of other OpenSSL value?)

为了正确地将该扩展名设置为字符串值serverAuth,clientAuth，我需要为value参数传递什么?或者，为什么我得到列出的例外?注意:如果我删除此行并尝试生成不带扩展名的证书(具有其他属性，例如Name，expirate date等，为简洁起见，我在此将其排除在外)，则效果很好.

What do I need to pass for the value parameter in order to correctly set that extension to the string value serverAuth,clientAuth? Or, alternately, why am I getting the listed exception? Note: If I remove this line and attempt to generate a certificate without extensions (with other properties such as Name, expiration date, etc. that I have excluded here for brevity) it works just fine.

我花了整整一天时间浏览OpenSSL(非常糟糕)的文档和谷歌搜索.我能找到的所有内容都讨论了如何从命令行而不是代码中向证书添加扩展名.我无法跟踪该功能期望在value参数中看到的内容.

I have spent an entire day pouring over OpenSSL's (ridiculously poor) documentation and Googling. Everything I can find discusses how to add extensions to certificates from the command line rather than in code. I cannot track down what the hell this function expects to see in the value parameter.

推荐答案

在深入了解OpenSSL的源代码之后，我偶然发现了makecert.c示例中的一个函数，该函数也可以执行此操作.我已经稍微清理了一下，就到了.您传入要设置的扩展名的NID和一个简单的字符串值.非常方便:

After some more rooting around in OpenSSL's source, I stumbled across a function in the makecert.c example that also does this. I've cleaned it up slightly, and here it is. You pass in the NID of the extension you want to set and a simple string value for it. Very handy:

BOOL addExtension(X509 *cert, int nid, char *value)
{
    X509_EXTENSION *ex = NULL;
    X509V3_CTX ctx;

    // This sets the 'context' of the extensions. No configuration database
    X509V3_set_ctx_nodb(&ctx);

    // Issuer and subject certs: both the target since it is self signed, no request and no CRL
    X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
    ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
    if (!ex) {
        return NO;
    }

    int result = X509_add_ext(cert, ex, -1);

    X509_EXTENSION_free(ex);

    return (result == 0) ? YES : NO;
}

这篇关于OpenSSL x509证书:使用X509_add1_ext_i2d()添加扩展的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！