Frank Balluffi wrote: > > I am confused about how to check a key usage extension. I see that ca_check > "calls" ku_reject, which uses the X509 ex_flags element. > > Is it necessary to use the ku_reject method or is it possible to call > d2i_ASN1_BIT_STRING (to decode the KeyUsage BIT STRING) and then > ASN1_BIT_STRING_get_bit to check specific bits? > > I am guessing there is a "history lesson" here. Does anyone know? > This should be in openssl-users since it isn't a dev question... You can automatically get the ASN1_BIT_STRING decoded and handled properly using the X509_get_ext_d2i() function, see doc/openssl.txt from then on you can use ASN1_BIT_STRING_get_bit() and friends. This is portable and should work in future versions of OpenSSL. Alternatively you can check ex_flags but that involves messing around in internal structures which may not be regarded as "clean" and not guaranteed to work in future. This is done internally so that the required extensions can be cached in a form where the verify code can rapidly use them. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
