Re: query on key usage OIDs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jul 16, 2021 at 01:11:04PM +0200, Jakob Bohm via openssl-users wrote:

> Question was how to retrieve those lists for any given certificate,
> using currently supported OpenSSL APIs.
> 
> The lists of usage bits and extusage OIDs in any given certificate
> are finite, even if the list of values that could be in other
> certificates is infinite.

The bits can be retrieved via: X509_get_key_usage(3).

    https://www.openssl.org/docs/man1.1.1/man3/X509_get_key_usage.html

The "standard" EKU extensions can be retrieved via: X509_get_extended_key_usage(3)

    X509_get_extended_key_usage() returns the value of the extended key
    usage extension. If extended key usage is present it will return
    zero or more of the flags: XKU_SSL_SERVER, XKU_SSL_CLIENT,
    XKU_SMIME, XKU_CODE_SIGN XKU_OCSP_SIGN, XKU_TIMESTAMP, XKU_DVCS or
    XKU_ANYEKU. These correspond to the OIDs id-kp-serverAuth,
    id-kp-clientAuth, id-kp-emailProtection, id-kp-codeSigning,
    id-kp-OCSPSigning, id-kp-timeStamping, id-kp-dvcs and
    anyExtendedKeyUsage respectively.

To retrieve the full list of extended key usage OIDs: X509_get_ext_d2i(3)

    X509 *x;
    EXTENDED_KEY_USAGE *extusage;
    int i;

    ...

    if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL)) != NULL) {
        for (i = 0; i < sk_ASN1_OBJECT_num(extusage); ++i) {
            ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(extusage, i);
            /* Do something with "obj" */
        }
    }
    sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux