problem with policy mappings extension decoding
Dr. Stephen Henson wrote: X509_get_pubkey() is useful for those cases: it just isn't complete. You can check to see if parameters are missing using: EVP_PKEY_missing_parameters(key); You can copy parameters using: EVP_PKEY_copy_parameters(to, from); So before you replace the working_key with a new one check to see if the new key has parameters, if not copy them from the current working key. Thank You. Now I have another question. When I print policy mapping extension with X509V3_EXT_print() I get: 0:d=0 hl=2 l= 26 cons: SEQUENCE 2:d=1 hl=2 l= 24 cons: SEQUENCE 4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 But when I try to extract this extension: POLICY_MAPPINGS *polMaps = NULL; polMaps = (POLICY_MAPPINGS*)X509_get_ext_d2i(cert, NID_policy_mappings, crit, NULL); I get NULL. This means polMaps is NULL and crit is -1 which is decoding problem. What should I do to extract this extension correctly? Thanks, Daniel __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with policy mappings extension decoding
On Wed, Jun 22, 2005, soukyan wrote: Dr. Stephen Henson wrote: X509_get_pubkey() is useful for those cases: it just isn't complete. You can check to see if parameters are missing using: EVP_PKEY_missing_parameters(key); You can copy parameters using: EVP_PKEY_copy_parameters(to, from); So before you replace the working_key with a new one check to see if the new key has parameters, if not copy them from the current working key. Thank You. Now I have another question. When I print policy mapping extension with X509V3_EXT_print() I get: 0:d=0 hl=2 l= 26 cons: SEQUENCE 2:d=1 hl=2 l= 24 cons: SEQUENCE 4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 That's an asn1parse output. Normally X509V3_EXT_print() wont do that and then only if standard routines fail. But when I try to extract this extension: POLICY_MAPPINGS *polMaps = NULL; polMaps = (POLICY_MAPPINGS*)X509_get_ext_d2i(cert, NID_policy_mappings, crit, NULL); I get NULL. This means polMaps is NULL and crit is -1 which is decoding problem. What should I do to extract this extension correctly? You need OpenSSL 0.9.8 to handle policy mappings. See what happens with the 'x509' utility. If that doesn't produce meaningful output please send me the cert. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with policy mappings extension decoding
Dr. Stephen Henson wrote: On Wed, Jun 22, 2005, soukyan wrote: Now I have another question. When I print policy mapping extension with X509V3_EXT_print() I get: 0:d=0 hl=2 l= 26 cons: SEQUENCE 2:d=1 hl=2 l= 24 cons: SEQUENCE 4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 That's an asn1parse output. Normally X509V3_EXT_print() wont do that and then only if standard routines fail. I am using X509V3_EXT_PARSE_UNKNOWN: X509V3_EXT_print(bio, ext, X509V3_EXT_PARSE_UNKNOWN, 0); to know a structure of unknown extensions. But when I try to extract this extension: POLICY_MAPPINGS *polMaps = NULL; polMaps = (POLICY_MAPPINGS*)X509_get_ext_d2i(cert, NID_policy_mappings, crit, NULL); I get NULL. This means polMaps is NULL and crit is -1 which is decoding problem. What should I do to extract this extension correctly? You need OpenSSL 0.9.8 to handle policy mappings. Yes, I am using OpenSSL 0.9.8 Beta 4. See what happens with the 'x509' utility. This is the output of this utility: X509v3 Policy Mappings: critical 0.0.. `.H.e...0.. `.H.e...0. If that doesn't produce meaningful output please send me the cert. OK. I am just sending this certificate (on Your e-mail steve*openssl.org). The certificate comes from NIST Test Suite (test 4.10.1) and it is an intermediate CA certificate. http://csrc.nist.gov/pki/testing/x509paths.html Thanks, Daniel -- Promocja! Format 15x20 tylko 99gr! Zamów odbitki cyfrowe online - odbierz za darmo w EMPiK-u lub wy¶lemy Ci je poczt± http://gazeta.empikfoto.pl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with policy mappings extension decoding
On Wed, Jun 22, 2005, soukyan wrote: Dr. Stephen Henson wrote: On Wed, Jun 22, 2005, soukyan wrote: Now I have another question. When I print policy mapping extension with X509V3_EXT_print() I get: 0:d=0 hl=2 l= 26 cons: SEQUENCE 2:d=1 hl=2 l= 24 cons: SEQUENCE 4:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.1 16:d=2 hl=2 l= 10 prim: OBJECT:2.16.840.1.101.3.2.1.48.2 That's an asn1parse output. Normally X509V3_EXT_print() wont do that and then only if standard routines fail. I am using X509V3_EXT_PARSE_UNKNOWN: X509V3_EXT_print(bio, ext, X509V3_EXT_PARSE_UNKNOWN, 0); to know a structure of unknown extensions. OK, this should be fixed now. The initial cause was that the extension table was not in order but that was caused by inconsistencies in the OID table between OpenSSL 0.9.7 and 0.9.8. It should now display and parse the extension properly. Please check the next snapshot. Thanks for the report, Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]