Re: query on key usage OIDs
On Fri, Jul 16, 2021 at 01:11:04PM +0200, Jakob Bohm via openssl-users wrote: > Question was how to retrieve those lists for any given certificate, > using currently supported OpenSSL APIs. > > The lists of usage bits and extusage OIDs in any given certificate > are finite, even if the list of values that could be in other > certificates is infinite. The bits can be retrieved via: X509_get_key_usage(3). https://www.openssl.org/docs/man1.1.1/man3/X509_get_key_usage.html The "standard" EKU extensions can be retrieved via: X509_get_extended_key_usage(3) X509_get_extended_key_usage() returns the value of the extended key usage extension. If extended key usage is present it will return zero or more of the flags: XKU_SSL_SERVER, XKU_SSL_CLIENT, XKU_SMIME, XKU_CODE_SIGN XKU_OCSP_SIGN, XKU_TIMESTAMP, XKU_DVCS or XKU_ANYEKU. These correspond to the OIDs id-kp-serverAuth, id-kp-clientAuth, id-kp-emailProtection, id-kp-codeSigning, id-kp-OCSPSigning, id-kp-timeStamping, id-kp-dvcs and anyExtendedKeyUsage respectively. To retrieve the full list of extended key usage OIDs: X509_get_ext_d2i(3) X509 *x; EXTENDED_KEY_USAGE *extusage; int i; ... if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, , NULL)) != NULL) { for (i = 0; i < sk_ASN1_OBJECT_num(extusage); ++i) { ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(extusage, i); /* Do something with "obj" */ } } sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); -- Viktor.
Re: query on key usage OIDs
Question was how to retrieve those lists for any given certificate, using currently supported OpenSSL APIs. The lists of usage bits and extusage OIDs in any given certificate are finite, even if the list of values that could be in other certificates is infinite. On 2021-07-16 06:44, Kyle Hamilton wrote: Also, OIDs for extendedKeyUsage can be defined per-application, so there's no way to compile a full list of them. -Kyle H On Fri, Jul 16, 2021 at 4:23 AM Viktor Dukhovni wrote: On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote: I am looking for openssl APIs to get all the OIDs associated with user certificate Key usage extension. For example my sample Key usage extension from the certificate is below: X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment I am looking for the APIs used to get the OIDs associated with Digital Signature and Key Encipherment from the certificate. There are no keyUsage OIDs, the field is a bitstring: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature(0), nonRepudiation (1), -- recent editions of X.509 have -- renamed this bit to contentCommitment keyEncipherment (2), dataEncipherment(3), keyAgreement(4), keyCertSign (5), cRLSign (6), encipherOnly(7), decipherOnly(8) } There are OIDs in the extendedKeyUsage: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12 Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
Re: query on key usage OIDs
Also, OIDs for extendedKeyUsage can be defined per-application, so there's no way to compile a full list of them. -Kyle H On Fri, Jul 16, 2021 at 4:23 AM Viktor Dukhovni wrote: > > > On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote: > > > > I am looking for openssl APIs to get all the OIDs associated with user > > certificate Key usage extension. For example my sample Key usage extension > > from the certificate is below: > > X509v3 extensions: > > X509v3 Key Usage: critical > > Digital Signature, Key Encipherment > > > > I am looking for the APIs used to get the OIDs associated with Digital > > Signature and Key Encipherment from the certificate. > > There are no keyUsage OIDs, the field is a bitstring: > >https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 > > id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } > > KeyUsage ::= BIT STRING { >digitalSignature(0), >nonRepudiation (1), -- recent editions of X.509 have > -- renamed this bit to > contentCommitment >keyEncipherment (2), >dataEncipherment(3), >keyAgreement(4), >keyCertSign (5), >cRLSign (6), >encipherOnly(7), >decipherOnly(8) } > > There are OIDs in the extendedKeyUsage: > > https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12 > > -- > Viktor. >
Re: query on key usage OIDs
> On 15 Jul 2021, at 11:55 pm, SIMON BABY wrote: > > I am looking for openssl APIs to get all the OIDs associated with user > certificate Key usage extension. For example my sample Key usage extension > from the certificate is below: > X509v3 extensions: > X509v3 Key Usage: critical > Digital Signature, Key Encipherment > > I am looking for the APIs used to get the OIDs associated with Digital > Signature and Key Encipherment from the certificate. There are no keyUsage OIDs, the field is a bitstring: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } KeyUsage ::= BIT STRING { digitalSignature(0), nonRepudiation (1), -- recent editions of X.509 have -- renamed this bit to contentCommitment keyEncipherment (2), dataEncipherment(3), keyAgreement(4), keyCertSign (5), cRLSign (6), encipherOnly(7), decipherOnly(8) } There are OIDs in the extendedKeyUsage: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12 -- Viktor.
query on key usage OIDs
Hi Team, I am looking for openssl APIs to get all the OIDs associated with user certificate Key usage extension. For example my sample Key usage extension from the certificate is below: X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment I am looking for the APIs used to get the OIDs associated with Digital Signature and Key Encipherment from the certificate. Reagrds Simon