Re: X509 v3 basic constraints extension

Sat, 19 Jun 1999 05:42:05 -0700 

Dave Clark wrote:
> 
> Hello all;
> 
> New OpenSSL user here who's trying to get up to speed on the X509
> component as quickly as possible ... also new to certificates ...
> forgive the novice question.
> 
> I'm using X509_get_ext() and X509_EXTENSION_get_data(ext) in an attempt
> to get the basic constraints extension and determine whether the
> certificate in question is a CA certificate.
> 
> The second routine returns a ASN1_OCTET_STRING containing the following:
> 
>         length  2
>         type    4
> +       data     "0"
>         flags   0
> 
> I'm not sure I understand why I'm getting these values.  Type 4 is an
> ASN1_OCTET_STRING, yes?  I would expect either a BOOLEAN value or
> a SEQUENCE (acc. to X.509 spec).  Also, I'm getting an ASCII '0' (0x30)
> rather than 0x00 (I know this cert is not an CA cert).  Are these
> the expected values?
> 

The structure you get is a DER encoded basicConstraints structure
wrapped in the OCTET STRING. You don't need to worry about that though
because extension parsing is handled by various X509V3 functions.

Check out the documentation in doc/openssl.txt (in the latest snapshot)
for some info about the extension handling API.

Basically you do something like this:

/* This assume you have basicConstraints is 'ext' */

BASIC_CONSTRAINTS *bs;
bs = X509V3_EXT_d2i(ext)
if(bs->ca) ... /* Whatever to indicate a CA certificate */
BASIC_CONSTRAINTS_free(bs);

The case of basicConstraints being absent is problematical. PKIX
recommends that you assume this means it is not a CA certificate: which
is the best thing to do. However some older certificates (Verisign roots
for example) are V1 certificates that therefore don't have any
extensions and so wont be a CA by this definition.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to