Dr. Stephen Henson wrote:
> On Tue, Apr 29, 2008, Carolin Latze wrote:
>
>
>> Hello everybody,
>>
>> I know, that might be an easy question, but I really didn't find an
>> answer till now...
>>
>> I have a certificate in TLS (X.509) with an ASN1. Bit String extension.
>> How to I read it out? Till now I did the following:
>>
>> X509_EXTENSION *ext;
>> ext=X509_get_ext(cert,i);
>> os=X509_EXTENSION_get_data(ext);
>> extstr=ASN1_STRING_data(os);
>>
>> But extstr is not exactly what it should be. It should be a bit string
>> of 20 bytes. extstr contains 20 bytes, but the first 4 bytes are always
>> "1614" and the last four bytes are missing.... Any ideas? (I am sure, I
>> am simply using the wrong functions, but everything I tried gave the
>> same result)
>>
>>

>
> You also need to retrieve the length of os using ASN1_STRING_length(os).
>
> What you then have is the encoding of the BIT STRING and not the content. If
> you want the content you have to call d2i_ASN1_BITSTRING() on the encoding,
> see docs and FAQ for examples of using the d2i_*() functions.
>
>

First of all: thanks for the answer. That helped a lot. I think, I know
what to do: First of all, I read out the encoded data using
ASN1_STRING_data, then the length using ASN1_STRING_length. Finally I
fill in the content using d2i_ASN1_BIT_STRING. I realized it as follows:

X509_EXTENSION *ext;
unsigned char *sstring;
const unsigned char *extstr;
ASN1_OCTET_STRING *os;
long len;

ext=X509_get_ext(cert,i);

os=X509_EXTENSION_get_data(ext);
extstr=ASN1_STRING_data(os);
len=ASN1_STRING_length(os);
os=d2i_ASN1_BIT_STRING(&os,&extstr,len);
if(os==NULL) int_error("d2i_ASN1_BIT_STRING
returned NULL\n");
else fprintf(stdout,"d2i_ASN1_BIT_STRING
succeeded\n");
sstring=(unsigned
char*)malloc((size_t)os->length + 1);
memcpy(sstring,os->data,(size_t)os->length);
sstring[os->length+1]='\0';


The problem is that d2i_ASN1_BIT_STRING always returns:

3797:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1294:
3797:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested
asn1 error:tasn_dec.c:830:

And I have not really an idea about what goes wrong here. I tried to
google around but did not find a satisfactory answer. My question is: Is
there still something missing or wrong in this code or might it be
possible that I did something wrong in the assignment of the extension
when creating the certificate?

(I assigned the extensions like this:
ext=X509V3_EXT_conf_nid(NULL,&ctx,nid,ext_entries[i].value;
X509_add_ext(x509,ext,-1)

Regards
Carolin
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org