Patrik Carlsson wrote:
>
> Is there an easier (or more elegant) way than this to get the NID in
> order to e.g. identify a SGC certificate?
>
> ...
> X509_EXTENSION *ex = X509_get_ext (x, i);
>
> if (X509V3_EXT_print (bio, ex, 0))
> {
> j = BIO_read (sb, buf, BUF_LEN);
> buf[j] = 0;
> ex_nid = OBJ_ln2nid (buf);
> isSGC = ex_nid == NID_ms_sgc || ex_nid == NID_ns_sgc;
> }
> ...
>
Yes there is. Appologies for the lack of documentation in this area: I'm
a bit snowed under with things that need fixing at the moment :-(
Anyway this is handled by the new extension code. When you've looked up
the extension from a certificate you can call:
extusage = X509V3_EXT_d2i(ext);
to get the extensions internal structure or NULL if there is an error.
What you get back depends on the extension you try. For extended key
usage you get back a STACK of ASN1_OBJECTs which you can then traverse
looking for the NID you want.
After you've finished with it you need to use an extension specific call
to free it up. In this case:
sk_pop_free(extusage, ASN1_OBJECT_free);
Hmmm I think I'll add a call that calls the right free function as well
without having to work out the specific one...
> Also, I've come across this extension which isn't listed in objetcs.h:
> X509v3 Extended Key Usage:
> Netscape Server Gated Crypto, Microsoft Server Gated
> Crypto
>
If it prints out like that then its just the two usages printed out
separately: a certificate can contain several extended key usages. If
the object wasn't in objects.h you'd get the numercial form of the OID.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
