How to generate CSR(Certificate Signing Request) using C++ and openssl

Question

I am new to openssl. I am trying to implement the program to generate CSR using openssl and c++. I need to implement the following commands using C++.

openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out x509Req.pem.

I have tried a sample code from the tutorial http://www.codepool.biz/how-to-use-openssl-to-generate-x-509-certificate-request.html

bool gen_X509Req()
{
int             ret = 0;
RSA             *r = NULL;
BIGNUM          *bne = NULL;

int             nVersion = 1;
int             bits = 2048;
unsigned long   e = RSA_F4;

X509_REQ        *x509_req = NULL;
X509_NAME       *x509_name = NULL;
EVP_PKEY        *pKey = NULL;
RSA             *tem = NULL;
BIO             *out = NULL, *bio_err = NULL;

const char      *szCountry = "CA";
const char      *szProvince = "BC";
const char      *szCity = "Vancouver";
const char      *szOrganization = "Dynamsoft";
const char      *szCommon = "localhost";

const char      *szPath = "x509Req.pem";

// 1. generate rsa key
bne = BN_new();
ret = BN_set_word(bne,e);
if(ret != 1){
    goto free_all;
}

r = RSA_new();
ret = RSA_generate_key_ex(r, bits, bne, NULL);
if(ret != 1){
    goto free_all;
}

// 2. set version of x509 req
x509_req = X509_REQ_new();
ret = X509_REQ_set_version(x509_req, nVersion);
if (ret != 1){
    goto free_all;
}

// 3. set subject of x509 req
x509_name = X509_REQ_get_subject_name(x509_req);

ret = X509_NAME_add_entry_by_txt(x509_name,"C", MBSTRING_ASC, (const unsigned char*)szCountry, -1, -1, 0);
if (ret != 1){
    goto free_all;
}

ret = X509_NAME_add_entry_by_txt(x509_name,"ST", MBSTRING_ASC, (const unsigned char*)szProvince, -1, -1, 0);
if (ret != 1){
    goto free_all;
}

ret = X509_NAME_add_entry_by_txt(x509_name,"L", MBSTRING_ASC, (const unsigned char*)szCity, -1, -1, 0);
if (ret != 1){
    goto free_all;
}   

ret = X509_NAME_add_entry_by_txt(x509_name,"O", MBSTRING_ASC, (const unsigned char*)szOrganization, -1, -1, 0);
if (ret != 1){
    goto free_all;
}

ret = X509_NAME_add_entry_by_txt(x509_name,"CN", MBSTRING_ASC, (const unsigned char*)szCommon, -1, -1, 0);
if (ret != 1){
    goto free_all;
}

// 4. set public key of x509 req
pKey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pKey, r);
r = NULL;   // will be free rsa when EVP_PKEY_free(pKey)

ret = X509_REQ_set_pubkey(x509_req, pKey);
if (ret != 1){
    goto free_all;
}

// 5. set sign key of x509 req
ret = X509_REQ_sign(x509_req, pKey, EVP_sha1());    // return x509_req->signature->length
if (ret <= 0){
    goto free_all;
}

out = BIO_new_file(szPath,"w");
ret = PEM_write_bio_X509_REQ(out, x509_req);

// 6. free
 free_all:
X509_REQ_free(x509_req);
BIO_free_all(out);

EVP_PKEY_free(pKey);
BN_free(bne);

return (ret == 1); 
 }

It is able to create the x509Req.pem file, but when I open it in the linux with file open, it is showing the error "Could not display 'x509Req.pem' Reason: Unrecognized or unsupported data." Could you any one please tell me how to solve this error or any other tutorials to generate CSR using c++ and openssl.

Thanks in advance.

Answer 1

If you compare the output from openssl req -in yourcsr.pem -text with CSR created by the usual openssl commands you will find, that the version is shown as 1 in your CSR while 0 in the usual CSR:

Certificate Request:
    Data:
        Version: 1 (0x1)

This is due to the following code:

int             nVersion = 1;
...
ret = X509_REQ_set_version(x509_req, nVersion);

Looking at the Wikipedia page for CSR you will find that:

The first part, ASN.1 type CertificationRequestInfo, consists of a version number (which is 0 for all known versions, 1.0, 1.5, and 1.7 of the specifications)

Modifying your code to set nVersion=0 will result in a proper CSR which also can be successfully opened by the viewer you use. It looks like the viewer is an application which tries to adhere to the specification while other CSR reading programs simply ignore the version number since it does not provide any necessary information (should be 0 in all cases).