X509 Extension Parsing

Thu, 05 Jun 2003 00:30:55 -0700 

Per Dr. Henson's suggestion I've been writing some code for Apache mod_ssl in order to 
determine the certificate class for our corporate PKI certs that have the Certificate 
Policy  attribute.

I've had some odd results and wanted to see if anyone can clarify for me.

I was unable to find the Certificate Policy extension in the X509 object using 
X509_get_ext_d2i(xs, NID_certificate_policy, NULL, NULL) or any permutation thereof - 
it consistantly indicated that the extension was not found.  Of course since it's a v3 
extension, X509v3_get_ext_by_NID(xs->cert_info->extensions, NID_certificate_policies, 
-1) is more helpful and does return the index by which I can obtain the X509_EXTENSION 
object.

However, I have been unsuccessful in using that returned object - all the fields of 
both of these appear to be identical between my two different certs.  Are there any 
other objects that would be helpful for me to examine that I am missing?  Neither the 
X509_EXTENSION nor the associated ASN1_OBJECT seem to contain the information I'm 
looking for (policy OID or user notice info).  What am I missing to dereference the 
extension to a POLICYINFO object?

For reference, the stub I'm using so far:

static char *ssl_var_lookup_ssl_cert_class(apr_pool_t *p, X509 *xs)
{
    char *result;
    X509_EXTENSION *ex;
    ASN1_OBJECT *obj;
    int idx = 0;

    if (xs == NULL)
        return "NoXS";

    if ((idx = X509v3_get_ext_by_NID(xs->cert_info->extensions, NID_certificate_
policies, -1)) < 0)
        return "DNE";

    ex = sk_X509_EXTENSION_value(xs->cert_info->extensions, idx);
    obj = X509_EXTENSION_get_object(ex);

/* Misc debugging output */

        return someOIDTest ? "2" : "3";
}

---------------------------------
Justin Wienckowski
Intranet Team
Northrop Grumman Mission Systems
703.345.6663 (Work)
571.437.2064 (Cell)
[EMAIL PROTECTED]

BEGIN:VCARD
VERSION:2.1
N:Wienckowski;Justin
FN:Wienckowski, Justin
ORG:;A971016TRG
TEL;WORK;VOICE:+1 703 345-6663
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;VAR1/2A18=0D=0A12011 Sunset Hills Rd=0D=0AReston=0D=0AVA=0D=0A20190;Reston=
;VA;20190
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:VAR1/2A18=0D=0A12011 Sunset Hills Rd=0D=0AReston=0D=0AVA=0D=0A20190=0D=0ARes=
ton, VA 20190
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20020528T152500Z
END:VCARD

Reply via email to