问题
I am creating an api for modifying X509 certificates in C and I want to add a way to remove an extension (e.g. subjectNameAlt). How would I do this via the OpenSSL API?
回答1:
Paul's answer is freeing a pointer returned from X509_get_ext, which the documentation explicitly says not to do.. As stated by the documentation:
X509v3_get_ext()[andX509_get_ext()] retrieves extension loc fromx. The index loc can take any value from 0 toX509_get_ext_count(x) - 1. The returned extension is an internal pointer which must not be freed up by the application.
The correct way to free the extension is as follows.
int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index
X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extension
if (ext != NULL){ //check that the extension was found
X509_EXTENSION *tmp = X509_delete_ext(cert, idx); //delete the extension
X509_EXTENSION_free(tmp); //free the memory
}
回答2:
You can use X509_NAME_delete_entry () function for this:
X509_NAME_delete_entry() deletes an entry from name at position loc. The deleted entry is returned and must be freed up.
Man page: http://linux.die.net/man/3/x509_name_delete_entry
Edit:
To actually get and delete an extension, you can use the following function:
X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
Example:
int idx = X509_get_ext_by_NID( cert, nid, -1 ); //get the index
X509_EXTENSION *ext = X509_get_ext(cert, idx); //get the extension
if (ext != NULL){ //check that the extension was found
X509_delete_ext(cert, idx); //delete the extension
X509_EXTENSION_free(ext); //free the memory
}
来源:https://stackoverflow.com/questions/15978758/how-do-you-remove-an-extension-from-an-x509