On Fri, Aug 21, 2009, Natanael Mignon - michael-wessel.de wrote:
> Hello,
>
> ok, what I did so far is get the extension by OID. At least I know by now,
> whether the extension is present or not:
>
> [...]
> X509 *client_cert = X509_STORE_CTX_get_current_cert(ctx);
> const char *admoid = "1.3.36.8.3.3";
> ASN1_OBJECT *admobj = NULL;
> X509_EXTENSION *admext = NULL;
> int extpos;
>
> admobj = OBJ_txt2obj(admoid, 0);
> if (admobj) {
> extpos = X509_get_ext_by_OBJ(client_cert, admobj,-1);
> if (extpos)
> admext = X509_get_ext(client_cert, extpos);
> if (!admext) {
> ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
> "MWDE/nm: Extension '%s' (admission) not found in cert!",
> admoid);
> ok = FALSE;
> [...]
>
> Testing is positive: The extension is found by mod_ssl. But now I need to
> read and compare the field professionOID (see specs in my initial post). So
> welcome to asn1 parsing, I guess (because I'm not really familiar with that,
> I can only guess)...
>
> Any help welcome, as usual. :)
>
Yes you can call X509_EXTENSION_get_data() to get the encoded extension as an
ASN1_OCTET_STRING structure. From that ASN1_STRING_length() and
ASN1_STRING_data() will get you the data itself.
Then it is ASN1 parsing time... there are numerous examples in the OpenSSL
code itself, see crypto/cms/cms_asn1.c for a more recent one. Once you have an
appropriate ASN1 module you can use d2i_foo() (or whatever you call it) to
decode the data you extracted above.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
