Dr. Stephen Henson wrote:
> On Tue, Apr 29, 2008, Carolin Latze wrote:
>> Hello everybody,
>> I know, that might be an easy question, but I really didn't find an
>> answer till now...
>> I have a certificate in TLS (X.509) with an ASN1. Bit String extension.
>> How to I read it out? Till now I did the following:
>> X509_EXTENSION *ext;
>> ext=X509_get_ext(cert,i);
>> os=X509_EXTENSION_get_data(ext);
>> extstr=ASN1_STRING_data(os);
>> But extstr is not exactly what it should be. It should be a bit string
>> of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always
>> "1614" and the last four bytes are missing.... Any ideas? (I am sure, I
>> am simply using the wrong functions, but everything I tried gave the
>> same result)

> You also need to retrieve the length of os using ASN1_STRING_length(os).
> What you then have is the encoding of the BIT STRING and not the content. If
> you want the content you have to call d2i_ASN1_BITSTRING() on the encoding,
> see docs and FAQ for examples of using the d2i_*() functions.

First of all: thanks for the answer. That helped a lot. I think, I know
what to do: First of all, I read out the encoded data using
ASN1_STRING_data, then the length using ASN1_STRING_length. Finally I
fill in the content using d2i_ASN1_BIT_STRING. I realized it as follows:

X509_EXTENSION *ext;
unsigned char *sstring;
const unsigned char *extstr;
long len;


if(os==NULL) int_error("d2i_ASN1_BIT_STRING
returned NULL\n");
else fprintf(stdout,"d2i_ASN1_BIT_STRING
char*)malloc((size_t)os->length + 1);

The problem is that d2i_ASN1_BIT_STRING always returns:

3797:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
3797:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
asn1 error:tasn_dec.c:830:

And I have not really an idea about what goes wrong here. I tried to
google around but did not find a satisfactory answer. My question is: Is
there still something missing or wrong in this code or might it be
possible that I did something wrong in the assignment of the extension
when creating the certificate?

(I assigned the extensions like this:

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org