On Fri, Jul 16, 2021 at 01:11:04PM +0200, Jakob Bohm via openssl-users wrote:
> Question was how to retrieve those lists for any given certificate,
> using currently supported OpenSSL APIs.
>
> The lists of usage bits and extusage OIDs in any given certificate
> are finite, even if the list of values that could be in other
> certificates is infinite.
The bits can be retrieved via: X509_get_key_usage(3).
https://www.openssl.org/docs/man1.1.1/man3/X509_get_key_usage.html
The "standard" EKU extensions can be retrieved via: X509_get_extended_key_usage(3)
X509_get_extended_key_usage() returns the value of the extended key
usage extension. If extended key usage is present it will return
zero or more of the flags: XKU_SSL_SERVER, XKU_SSL_CLIENT,
XKU_SMIME, XKU_CODE_SIGN XKU_OCSP_SIGN, XKU_TIMESTAMP, XKU_DVCS or
XKU_ANYEKU. These correspond to the OIDs id-kp-serverAuth,
id-kp-clientAuth, id-kp-emailProtection, id-kp-codeSigning,
id-kp-OCSPSigning, id-kp-timeStamping, id-kp-dvcs and
anyExtendedKeyUsage respectively.
To retrieve the full list of extended key usage OIDs: X509_get_ext_d2i(3)
X509 *x;
EXTENDED_KEY_USAGE *extusage;
int i;
...
if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL)) != NULL) {
for (i = 0; i < sk_ASN1_OBJECT_num(extusage); ++i) {
ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(extusage, i);
/* Do something with "obj" */
}
}
sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
--
Viktor.
