Extended Key Usage checking, NID problem

[Filip Van de Velde]

Hi,   I have to do extension checking on a certificate (DER encoded) which is passed to the validate_ssl() function (see below).    I translate the certificate from DER format to an internal form and want to do the appropriate checking. Therefore I first have to get the nid of the extensions. When I do the nid checking for the Extended Key Usage parameter of an X509v3 certificate, I always get the nid 0 (this means "undefined").   int validate_ssl (int ok, char *ip, char *protocol, char *subject, char *issuer, unsigned char *cert, int length, int depth, char** message). {     int rc;     X509 *pem_cert;     X509_EXTENSION* extension;     ASN1_OBJECT *object;     int i, count;     unsigned char* p;       object = ASN1_OBJECT_new();     extension = X509_EXTENSION_new();     pem_cert = X509_new();     rc = ok && SSLok;       p = cert;     pem_cert = d2i_X509(NULL, &p, length);       count = X509_get_ext_count(pem_cert);     if (pem_cert != NULL) {       for (i=0; i< count; i++) {         extension = X509_get_ext(pem_cert, i);         if (extension == NULL) {           fprintf(stderr, "Extension %d is null\n", i);         }         else {           object = X509_EXTENSION_get_object(extension);           fprintf(stderr, "Object to nid : %d\n", OBJ_obj2nid(object));         }       }     }       return (rc); }     When I do the same checking with a program which contains exactly the same code (see below) except the code for loading the certificate (DER encoded) from file, I get the nid 126(the correct one) for the Extended Key Usage parameter.    main() {   const char* fname = "/export/home/certs/newcert.der";   FILE* ifp;   X509 *pem_cert;   X509_EXTENSION* extension;   ASN1_OBJECT *object;   int i, count;     object = ASN1_OBJECT_new();   extension = X509_EXTENSION_new();   pem_cert = X509_new();     ifp = fopen(fname, "r");   pem_cert = d2i_X509_fp(ifp, NULL);   fclose(ifp);     count = X509_get_ext_count(pem_cert);   if (pem_cert != NULL) {     for (i=0; i< count; i++) {       extension = X509_get_ext(pem_cert, i);       if (extension == NULL) {         fprintf(stderr, "Extension %d is null\n", i);       }       else {         object = X509_EXTENSION_get_object(extension);         fprintf(stderr, "Object to nid : %d\n", OBJ_obj2nid(object));       }     }   } }   All the other nids that I am checking for (nid 82, 83, 87, 90) are correctly interpreted as well by validate_ssl() and the program (main()) above. Are there any differences in the d2i_X509() and d2i_X509_fp() functions which explain this behavor or is there something wrong in the code of the validate_ssl() function?   Thanks and Kind Regards,   Filip **************** Filip Van de Velde Syntegra, creating winners in the digital economy +32 2 247 92 20 - Check us out at www.syntegra.be ****************