Regarding the certificate extensions - Linux

This is a discussion on Regarding the certificate extensions - Linux ; Hi, Presently I wrote one C program to get the values from the X509 certificate extensions. To get the value from the extensions, am using the following functions and the flow goes like below. 1) Am getting the value of ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Regarding the certificate extensions

  1. Regarding the certificate extensions

    Hi,

    Presently I wrote one C program to get the values from the X509
    certificate extensions.
    To get the value from the extensions, am using the following
    functions
    and the flow goes like below.


    1) Am getting the value of the "nid" of the extension using
    the
    below function.


    nid = OBJ_sn2nid(trimmedExtensionName);


    2) Using the above nid and getting the value of the extension
    with this function


    STACK_OF(GENERAL_NAME) *altnames;
    altnames = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(cert,
    nid, NULL, NULL);


    3) After getting this value from the certificate using the
    below function,I am reading the value.


    const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames,
    i);


    4) Afterwards converting the data into string format


    The above flow is working fine for the extenion
    "subjectAltName" and this is not working for the extensions like
    keyUsage,subjectKeyIdentifier,authorityInfoAccess etc. For these
    filelds it is faling at the function "sk_GENERAL_NAME_value".


    This one is show stopper for me. Am unable to trace out
    why
    it is faling at this function and even if i google it, not getting
    the
    much information about it. If anybody knows about this please let me
    know.


    Thanks in advance,
    Sunil.



  2. Re: Regarding the certificate extensions

    On Jan 3, 3:09 am, sunil wrote:

    > The above flow is working fine for the extenion
    > "subjectAltName" and this is not working for the extensions like
    > keyUsage,subjectKeyIdentifier,authorityInfoAccess etc. For these
    > filelds it is faling at the function "sk_GENERAL_NAME_value".


    What are you trying to do? What do you want to do with fields like
    'keyUsage' that don't contain strings? How is it failing? Is
    sk_GENERAL_NAME_value returning NULL?

    Do you understand that various different extensions have various
    different formats? What do you want to do if that format decodes into,
    say, a list of object IDs? If you want that as a string, where is your
    code to turn it into one?

    Extensions are X.509 objects. They can contain other objects, contain
    strings, integers, times, object identifiers, lists, and so on.

    DS

  3. Re: Regarding the certificate extensions


    Hi,

    On Jan 6, 11:41*am, David Schwartz wrote:
    > On Jan 3, 3:09 am, sunil wrote:
    >
    > > * * * * *The above flow is working fine for the extenion
    > > "subjectAltName" and this is not working for the extensions like
    > > keyUsage,subjectKeyIdentifier,authorityInfoAccess etc. For these
    > > filelds it is faling at the function "sk_GENERAL_NAME_value".

    >
    > What are you trying to do? What do you want to do with fields like
    > 'keyUsage' that don't contain strings? How is it failing? Is
    > sk_GENERAL_NAME_value returning NULL?
    >
    > Do you understand that various different extensions have various
    > different formats? What do you want to do if that format decodes into,
    > say, a list of object IDs? If you want that as a string, where is your
    > code to turn it into one?
    >


    I am customizing the IBM product TAM in C for the special requirement.
    The requirement is for certificate based authentication. The TAM
    should have to allow the certificate to access the application if and
    only if it matches the values of particular extensions in the given
    certificate. For example the value of the extension version should be
    having the value V3, then only it should have to allow. Which
    extensions it should have to match is depending on the CA (certificate
    authority).That's the reason I have to write the generalized code for
    all the extensions. But the above mentioned function
    (sk_GENERAL_NAME_value) is working only for the extension
    subjectaltname. At the sametime,I am new to this certificates and the
    extensions.
    Please let me know if you are having any idea about this


    > Extensions are X.509 objects. They can contain other objects, contain
    > strings, integers, times, object identifiers, lists, and so on.
    >
    > DS


    Regards
    Sunil.

  4. Re: Regarding the certificate extensions

    On Jan 7, 1:33 am, sunil wrote:

    > I am customizing the IBM product TAM in C for the special requirement.
    > The requirement is for certificate based authentication. The TAM
    > should have to allow the certificate to access the application if and
    > only if it matches the values of particular extensions in the given
    > certificate. For example the value of the extension version should be
    > having the value V3, then only it should have to allow. Which
    > extensions it should have to match is depending on the CA (certificate
    > authority).That's the reason I have to write the generalized code for
    > all the extensions. But the above mentioned function
    > (sk_GENERAL_NAME_value) is working only for the extension
    > subjectaltname. At the sametime,I am new to this certificates and the
    > extensions.
    > Please let me know if you are having any idea about this


    Take a look at how the 'x509' application handles the '-text' option.
    You cannot convert general extensions to strings any easy way because
    those extensions contain DER objects.

    It's not clear what "generalized code for all the extensions" should
    do if the extension is an unordered list of object IDs.

    DS

+ Reply to Thread