Re: query on key usage OIDs
On Fri, Jul 16, 2021 at 01:11:04PM +0200, Jakob Bohm via openssl-users wrote:
> Question was how to retrieve those lists for any given certificate,
> using currently supported OpenSSL APIs.
>
> The lists of usage bits and extusage OIDs in any given certificate
> are finite, even if the list of values that could be in other
> certificates is infinite.
The bits can be retrieved via: X509_get_key_usage(3).
https://www.openssl.org/docs/man1.1.1/man3/X509_get_key_usage.html
The "standard" EKU extensions can be retrieved via:
X509_get_extended_key_usage(3)
X509_get_extended_key_usage() returns the value of the extended key
usage extension. If extended key usage is present it will return
zero or more of the flags: XKU_SSL_SERVER, XKU_SSL_CLIENT,
XKU_SMIME, XKU_CODE_SIGN XKU_OCSP_SIGN, XKU_TIMESTAMP, XKU_DVCS or
XKU_ANYEKU. These correspond to the OIDs id-kp-serverAuth,
id-kp-clientAuth, id-kp-emailProtection, id-kp-codeSigning,
id-kp-OCSPSigning, id-kp-timeStamping, id-kp-dvcs and
anyExtendedKeyUsage respectively.
To retrieve the full list of extended key usage OIDs: X509_get_ext_d2i(3)
X509 *x;
EXTENDED_KEY_USAGE *extusage;
int i;
...
if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, , NULL)) != NULL) {
for (i = 0; i < sk_ASN1_OBJECT_num(extusage); ++i) {
ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(extusage, i);
/* Do something with "obj" */
}
}
sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
--
Viktor.
Re: query on key usage OIDs
Question was how to retrieve those lists for any given certificate,
using currently supported OpenSSL APIs.
The lists of usage bits and extusage OIDs in any given certificate
are finite, even if the list of values that could be in other
certificates is infinite.
On 2021-07-16 06:44, Kyle Hamilton wrote:
Also, OIDs for extendedKeyUsage can be defined per-application, so
there's no way to compile a full list of them.
-Kyle H
On Fri, Jul 16, 2021 at 4:23 AM Viktor Dukhovni
wrote:
On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote:
I am looking for openssl APIs to get all the OIDs associated with user
certificate Key usage extension. For example my sample Key usage extension from
the certificate is below:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
I am looking for the APIs used to get the OIDs associated with Digital
Signature and Key Encipherment from the certificate.
There are no keyUsage OIDs, the field is a bitstring:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
KeyUsage ::= BIT STRING {
digitalSignature(0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to
contentCommitment
keyEncipherment (2),
dataEncipherment(3),
keyAgreement(4),
keyCertSign (5),
cRLSign (6),
encipherOnly(7),
decipherOnly(8) }
There are OIDs in the extendedKeyUsage:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Re: query on key usage OIDs
Also, OIDs for extendedKeyUsage can be defined per-application, so
there's no way to compile a full list of them.
-Kyle H
On Fri, Jul 16, 2021 at 4:23 AM Viktor Dukhovni
wrote:
>
> > On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote:
> >
> > I am looking for openssl APIs to get all the OIDs associated with user
> > certificate Key usage extension. For example my sample Key usage extension
> > from the certificate is below:
> > X509v3 extensions:
> > X509v3 Key Usage: critical
> > Digital Signature, Key Encipherment
> >
> > I am looking for the APIs used to get the OIDs associated with Digital
> > Signature and Key Encipherment from the certificate.
>
> There are no keyUsage OIDs, the field is a bitstring:
>
>https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3
>
> id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
>
> KeyUsage ::= BIT STRING {
>digitalSignature(0),
>nonRepudiation (1), -- recent editions of X.509 have
> -- renamed this bit to
> contentCommitment
>keyEncipherment (2),
>dataEncipherment(3),
>keyAgreement(4),
>keyCertSign (5),
>cRLSign (6),
>encipherOnly(7),
>decipherOnly(8) }
>
> There are OIDs in the extendedKeyUsage:
>
> https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
>
> --
> Viktor.
>
Re: query on key usage OIDs
> On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote:
>
> I am looking for openssl APIs to get all the OIDs associated with user
> certificate Key usage extension. For example my sample Key usage extension
> from the certificate is below:
> X509v3 extensions:
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment
>
> I am looking for the APIs used to get the OIDs associated with Digital
> Signature and Key Encipherment from the certificate.
There are no keyUsage OIDs, the field is a bitstring:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
KeyUsage ::= BIT STRING {
digitalSignature(0),
nonRepudiation (1), -- recent editions of X.509 have
-- renamed this bit to contentCommitment
keyEncipherment (2),
dataEncipherment(3),
keyAgreement(4),
keyCertSign (5),
cRLSign (6),
encipherOnly(7),
decipherOnly(8) }
There are OIDs in the extendedKeyUsage:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12
--
Viktor.
query on key usage OIDs
Hi Team, I am looking for openssl APIs to get all the OIDs associated with user certificate Key usage extension. For example my sample Key usage extension from the certificate is below: X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment I am looking for the APIs used to get the OIDs associated with Digital Signature and Key Encipherment from the certificate. Reagrds Simon
