How to set issuer name to x509_req type object

Question

I am trying to sign an existing csr using a CA certificate's private key. So i am planning to use X509_req_sign() API. I have created a x509_req object by reading the csr file. I have also extracted the subject name out of the CA certificate.

But I am not getting how I can set the issuer name to x509_req object. I found an API x509_set_issuer_name() exists but it is for object of type X509. Is there any similar API for x509_Req type also? What is the easy way to sign an existing csr using CA certificates private key? I have to do all these using C++ code only.

Any suggestions please?

Answer 1

Issuer name and information should be filled by issuing CA, not by the subject. Please refer structure of CSR at https://www.rfc-editor.org/rfc/rfc2986#page-5.

As issuer name is not present in structure, you cannot set. You can see structure definition at https://github.com/openssl/openssl/blob/b69ae442a3b3e168d73c53dcd04bacf33eee8569/crypto/include/internal/x509_int.h

/* PKCS#10 certificate request */

struct X509_req_info_st {
    ASN1_ENCODING enc;          /* cached encoding of signed part */
    ASN1_INTEGER *version;      /* version, defaults to v1(0) so can be NULL */
    X509_NAME *subject;         /* certificate request DN */
    X509_PUBKEY *pubkey;        /* public key of request */
    /*
     * Zero or more attributes.
     * NB: although attributes is a mandatory field some broken
     * encodings omit it so this may be NULL in that case.
     */
    STACK_OF(X509_ATTRIBUTE) *attributes;
};

struct X509_req_st {
    X509_REQ_INFO req_info;     /* signed certificate request data */
    X509_ALGOR sig_alg;         /* signature algorithm */
    ASN1_BIT_STRING *signature; /* signature */
    CRYPTO_REF_COUNT references;
    CRYPTO_RWLOCK *lock;
};

As you can see that there is no issuer name in request structure, you cannot set it.