Patrik Carlsson wrote:
>
> Is this the _new_ definition of esoteric :-)
> Anyway, thanks, it works...
>
> ...
> obj = X509_EXTENSION_get_object (ex);
> if (OBJ_obj2nid (obj) == NID_ext_key_usage)
> {
> if ((stack = X509V3_EXT_d2i (ex)))
> {
> for (j = 0; j < sk_num (stack); j++)
> {
> ex_nid = OBJ_obj2nid ((ASN1_OBJECT *) sk_value (stack, j));
> if (ex_nid == NID_ms_sgc)
> ...
> else if (ex_nid == NID_ns_sgc)
> ...
> }
> }
>
> sk_pop_free (stack, ASN1_OBJECT_free);
> }
>
Basically it yes. I'm not sure what code you put before that but I'd
guess you are checking each extension in turn for the right one. There
is some pre-existing code that can do that for example:
int idx = -1;
for(;;) {
idx = X509_get_ext_by_NID(cert, NID_ext_key_usage, idx);
if(idx < 0) break; /* Not found */
ext = X509_get_ext(cert, idx);
/* Do something with ext */
}
This assumes there might be more than one extension of the same type
which is a bit naughty: so you can usually assume there will be only
one.
Hmmm I think this would be less messy if there was a combined function
to get an extension and attempt to decode it...
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
