Alexey Kobozev wrote: > > Hi, All! > > Suppose I have a SSL server and I want to check the purpose of > the client certificate, which means that I need to check the > enhancedKeyUsage contents. What I've done is enumerated the > X509 extensions by X509_get_ext_count() and X509_get_ext(), > found the enhancedKeyUsage by OID X509_EXTENSION_get_oid_buf() > and got the X509_EXTENSION* pointer on it. > > Now I need to found the specified OID in this extension, for example, > client authentication purpose with OID 1.3.6.1.5.5.7.3.1 > > How can I do it? > > I can get the ASN1_OBJECT* by X509_EXTENSION_get_object() and > X509v3_pack_type_by_OBJ() returns me X509_EXT_PACK_UNKNOWN, so > I need handle it like ASN1 octet string. On this point I'm stuck. > > What to do next? >
Err start again :-) Purpose checking is done automatically in the newer releases of OpenSSL as part of the client certificate verify process, including checking extendedKeyUsage. Several checks take place, currently documented in the x509 manual page. If you want to perform the checks yourself you can all X509_check_purpose() on the certificate. If you still want to get the OIDs in extendedKeyUsage then you can call the X509 extension routines documented in doc/openssl.txt, X509_get_ext_d2i() will return a STACK_OF(ASN1_OBJECT) for extended key usage. There's some documentation about manipulating an ASN1_OBJECT structure in the older SSLeay docs in doc/ssleay.txt Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
