Hi Patrick, thanks for your response.
To make a long story short this issue arose because of trouble with the
X509_EXT_print() routine, so I thought I'd just do the same thing manually.
Unfortunately, that didn't solve the problem but it did narrow the scope. The
X509 print routines eventually call X509V3_extensions_print(), and it is there
the culprit lies.
I took the code in X509V3_extensions_print() and added it to my program
directly, then inserted debug statements to determine the exact location of the
crash.
In X509V3_extensions_print() are the lines:
1. int i, j;
2. X509_CINF *ci;
3. ci=X509cert->cert_info;
4. STACK_OF(X509_EXTENSION) *exts;
5. exts = ci->extensions;
As soon as the program hits line #5 above it crashes, but only if run as a
plugin to another program (Oracle Access Manager, "OAM"). If run from the
command line it works perfectly! I can't find any documentation from Oracle nor
OpenSSL that addresses this issue, it appears to be something with the
extensions. The only thing that might be relevant is an obscure section from
some internal Boeing document from 2002 that reads:
"Due to known problems with SSL library [openssl], the plug-in shared object
calls an executable, which executes the actual Https request"
Although I'm not using https in this case there is an X509 certificate involved
in both cases. Unfortunately, there is no detail on what "known problems with
SSL" means.
Have you seen anything like this?
-------------
Hi Kenny:
On April 14, 2011 07:41:51 pm you wrote:
>
> Here is the alternative I have so far:
>
> CERTIFICATEPOLICIES *cp;
> if ((cp = (CERTIFICATEPOLICIES*) X509_get_ext_d2i(X509cert,
> NID_certificate_policies, NULL, NULL)) == NULL) {
> printMsg("decodeX509cert: no policies found");
> } else {
> printMsg("decodeX509cert: found policies");
> }
>
> The output shows "decodeX509cert: found policies" so I know the policies
> are there. How do I convert cp into text that I can search using strstr or
> such? Thanks,
The first thing that I would say is that you PROBABLY don't want the
qualifiers. They may change without notice, and are probably NOT what you want
to match on. It would be FAR more reliable to just match on the Policy OIDs,
since those won't change over time very much (at least, not in any sane policy
environment, and I know that Boeing is playing in the US Federal and CertiPath
spaces, so that is a pretty sane environment :)
To grab the Policy OIDs, just enumerate through the STACK of POLICYINFO that
is what your cp variable is, and then pull out the policyid element of
each______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
