Is this the _new_ definition of esoteric :-)
Anyway, thanks, it works...
...
obj = X509_EXTENSION_get_object (ex);
if (OBJ_obj2nid (obj) == NID_ext_key_usage)
{
if ((stack = X509V3_EXT_d2i (ex)))
{
for (j = 0; j < sk_num (stack); j++)
{
ex_nid = OBJ_obj2nid ((ASN1_OBJECT *) sk_value (stack, j));
if (ex_nid == NID_ms_sgc)
...
else if (ex_nid == NID_ns_sgc)
...
}
}
sk_pop_free (stack, ASN1_OBJECT_free);
}
--Patrik
Dr Stephen Henson wrote:
> Patrik Carlsson wrote:
> >
> > Is there an easier (or more elegant) way than this to get the NID in
> > order to e.g. identify a SGC certificate?
> >
> > ...
> > X509_EXTENSION *ex = X509_get_ext (x, i);
> >
> > if (X509V3_EXT_print (bio, ex, 0))
> > {
> > j = BIO_read (sb, buf, BUF_LEN);
> > buf[j] = 0;
> > ex_nid = OBJ_ln2nid (buf);
> > isSGC = ex_nid == NID_ms_sgc || ex_nid == NID_ns_sgc;
> > }
> > ...
> >
>
> Yes there is. Appologies for the lack of documentation in this area: I'm
> a bit snowed under with things that need fixing at the moment :-(
>
> Anyway this is handled by the new extension code. When you've looked up
> the extension from a certificate you can call:
>
> extusage = X509V3_EXT_d2i(ext);
>
> to get the extensions internal structure or NULL if there is an error.
> What you get back depends on the extension you try. For extended key
> usage you get back a STACK of ASN1_OBJECTs which you can then traverse
> looking for the NID you want.
>
> After you've finished with it you need to use an extension specific call
> to free it up. In this case:
>
> sk_pop_free(extusage, ASN1_OBJECT_free);
>
> Hmmm I think I'll add a call that calls the right free function as well
> without having to work out the specific one...
>
> > Also, I've come across this extension which isn't listed in objetcs.h:
> > X509v3 Extended Key Usage:
> > Netscape Server Gated Crypto, Microsoft Server Gated
> > Crypto
> >
>
> If it prints out like that then its just the two usages printed out
> separately: a certificate can contain several extended key usages. If
> the object wasn't in objects.h you'd get the numercial form of the OID.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
