Re: extended key usage

Dr Stephen Henson Wed, 18 Aug 1999 14:49:07 -0700
Dave Clark wrote:
> 
> At 12:22 PM 08/18/1999 , Dr. Stephen N. Henson wrote:
> >Dave Clark wrote:
> >>
> >> Could someone describe how I would extract the OID(s) from
> >> the "extended key usage" extension?  Once I get the X509_EXTENSION,
> >> do I then call X509V3_EXT_d2i and receive a stack of ASN1_OBJECTs?
> >> How do I then get the OIDs?
> >>
> >
> >You get a STACK_OF(ASN1_OBJECT).
> >
> >You handle them the same as any other STACK_OF structure:
> >
> >n = sk_ASN1_OBJECT_num(ext);
> >tells you how many there are.
> >
> >ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(ext, i);
> >gets each one where i runs from 0..(n-1)
> >
> >and sk_ASN1_OBJECT_free(ext, ASN1_OBJECT_free);
> >will free them all up.
> 
> Thanks Steve;
> 
> And the OID comes from the ASN1_OBJECT data field?
> 

Well the DER encoding is, but poking round in the ASN1 internal
structures is not recommended. Thats because evil hackers like me love
to change the meanings of these all the time to break programs that do
this :-)

You should really use the ASN1 OBJECT functions, for example:

int nid = OBJ_obj2nid(obj);
char *name = OBJ_nid2sn(nid);
char *name = OBJ_nid2ln(nid);

to return a unique identifier for recognised objects, a "short name"
such as "CN" or a "long name" such as "commonName" (see objects.h for a
complete list). Most of the standard extended key usage objects are
recognised. Finally for any objects (recognised or not) you can call:

OBJ_obj2txt(buf, buf_len, obj, no_name);

which gives either the short, name (if defined) otherwise the long name
(if defined) or the numerical form if no name is defined (e.g.
"1.2.3.4"). If you make 'no_name' non zero then you always get the
numerical form even if the object is recognised.

If you really need the DER encoding of the object then you should use
i2d_ASN1_OBJECT().

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: extended key usage

Reply via email to
