Peter Onion wrote:
>
> I need to check if a certificate is marked for a particular key usage.
>
> I can get the extension and dump (as text) its contents. I've looked at how the
> string name for each bit in the extension is found in the function
> i2v_ASN1_BIT_STRINGS() but I can't see any definitions for functions that
> would allow me to easily check if a particular bit is set, or for
> symbolic definitions of the bits.
>
The usual way is to call the extension routines to decode the extension:
ASN1_BIT_STRING *keyusage;
keyusage = X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL);
keyusage is NULL if it can't find or can't decode the extension.
then you can call ASN1_BIT_STRING_get_bit(keyusage, bitnum);
there aren't any constants currently defined for 'bitnum'.
Alternatively you can mess around with the cached data in the X509
structure. If you want to do that then call:
X509_check_purpose(cert, -1, 0); /* Ensures information is up to date */
then (cert->ex_flags & EXFLAG_KUSAGE) will tell you if key usage is
present and (cert->ex_kusage & USAGE) will tell you if the bit is set.
Various constants for ex_kusage:
#define KU_DIGITAL_SIGNATURE 0x0080
#define KU_NON_REPUDIATION 0x0040
#define KU_KEY_ENCIPHERMENT 0x0020
#define KU_DATA_ENCIPHERMENT 0x0010
#define KU_KEY_AGREEMENT 0x0008
#define KU_KEY_CERT_SIGN 0x0004
#define KU_CRL_SIGN 0x0002
#define KU_ENCIPHER_ONLY 0x0001
#define KU_DECIPHER_ONLY 0x8000
There should be a function to do this.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]