Fixed x509 certificate created during generation to comply with OpenSSL

1.0.1i more strict rules.
This commit is contained in:
Alessio Di Mauro
2015-08-26 10:54:27 -04:00
parent f776ac58a3
commit 5f306a8d1c
+10 -1
View File
@@ -132,7 +132,6 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_
if (X509_set_pubkey(cert, key) == 0) // TODO: there is also X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey);
goto create_empty_cert_cleanup;
// TODO: add more info like issuer?
tm = ASN1_TIME_new();
if (tm == NULL)
goto create_empty_cert_cleanup;
@@ -141,6 +140,16 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, CK_
X509_set_notBefore(cert, tm);
X509_set_notAfter(cert, tm);
// Manually set the signature algorithms.
// OpenSSL 1.0.1i complains about empty DER fields
// 8 => md5WithRsaEncryption
cert->sig_alg->algorithm = OBJ_nid2obj(8);
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
// Manually set a signature (same reason as before)
ASN1_BIT_STRING_set_bit(cert->signature, 8, 1);
ASN1_BIT_STRING_set(cert->signature, "\x00", 1);
len = i2d_X509(cert, NULL);
if (len < 0)
goto create_empty_cert_cleanup;