Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[openssl-users] X509 subject key identifier
552 views
Skip to first unread message
Ken Goldman
Sep 21, 2015, 6:30:19 PM9/21/15
to
How can I programmatically get the Subject Key Identifier as a byte
array from an X509 certificate.
(Just to show that I tried before posting)
I would like the output as a byte array, not text, so tracing the
X509_print_fp() gave clues but not an answer.
I have the general sense that it's within x509->cert_info_extensions,
and that I use NID_subject_key_identifier to extract an extension from
the stack. Then I perhaps get the ASN1 object from the extension and
from there the value.
Any leads?
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
array from an X509 certificate.
(Just to show that I tried before posting)
I would like the output as a byte array, not text, so tracing the
X509_print_fp() gave clues but not an answer.
I have the general sense that it's within x509->cert_info_extensions,
and that I use NID_subject_key_identifier to extract an extension from
the stack. Then I perhaps get the ASN1 object from the extension and
from there the value.
Any leads?
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Viktor Dukhovni
Sep 22, 2015, 1:26:43 AM9/22/15
to
On Mon, Sep 21, 2015 at 06:29:02PM -0400, Ken Goldman wrote:
> How can I programmatically get the Subject Key Identifier as a byte array
> from an X509 certificate.
Unless I'm mistaken:
> How can I programmatically get the Subject Key Identifier as a byte array
> from an X509 certificate.
size_t len;
unsigned char *data;
ASN1_OCTET_STRING *skid;
skid = X509_get_ext_d2i(subject, NID_subject_key_identifier, NULL, NULL);
len = ASN1_STRING_length(skid);
data = ASN1_STRING_data(skid);
... Take unspeakable liberties with "data" and "len" ...
ASN1_OCTET_STRING_free(skid);
--
Viktor.
Ken Goldman
Sep 22, 2015, 9:23:30 AM9/22/15
to
This (of course) worked. I have three further questions.
1 - Am I correct that "data" points to the internal structure, and so
"skid" should not be freed until I'm done with "data"?
2 - For my education, I thought that d2i calls converted from DER to
openssl internal format. Yet, the input "subject" is an X509*, the
internal format.
3 - Are these calls documented? They're not in my usual starting point
https://www.openssl.org/docs/man1.0.1/crypto/
nor are they on the X509 page.
On 9/22/2015 1:25 AM, Viktor Dukhovni wrote:
> On Mon, Sep 21, 2015 at 06:29:02PM -0400, Ken Goldman wrote:
>
>> How can I programmatically get the Subject Key Identifier as a byte array
>> from an X509 certificate.
>
> Unless I'm mistaken:
>
> size_t len;
> unsigned char *data;
> ASN1_OCTET_STRING *skid;
>
> skid = X509_get_ext_d2i(subject, NID_subject_key_identifier, NULL, NULL);
> len = ASN1_STRING_length(skid);
> data = ASN1_STRING_data(skid);
>
> ... Take unspeakable liberties with "data" and "len" ...
>
> ASN1_OCTET_STRING_free(skid);
>
1 - Am I correct that "data" points to the internal structure, and so
"skid" should not be freed until I'm done with "data"?
2 - For my education, I thought that d2i calls converted from DER to
openssl internal format. Yet, the input "subject" is an X509*, the
internal format.
3 - Are these calls documented? They're not in my usual starting point
https://www.openssl.org/docs/man1.0.1/crypto/
nor are they on the X509 page.
On 9/22/2015 1:25 AM, Viktor Dukhovni wrote:
> On Mon, Sep 21, 2015 at 06:29:02PM -0400, Ken Goldman wrote:
>
>> How can I programmatically get the Subject Key Identifier as a byte array
>> from an X509 certificate.
>
> Unless I'm mistaken:
>
> size_t len;
> unsigned char *data;
> ASN1_OCTET_STRING *skid;
>
> skid = X509_get_ext_d2i(subject, NID_subject_key_identifier, NULL, NULL);
> len = ASN1_STRING_length(skid);
> data = ASN1_STRING_data(skid);
>
> ... Take unspeakable liberties with "data" and "len" ...
>
> ASN1_OCTET_STRING_free(skid);
>
Viktor Dukhovni
Sep 22, 2015, 10:32:22 AM9/22/15
to
On Tue, Sep 22, 2015 at 09:22:09AM -0400, Ken Goldman wrote:
> 1 - Am I correct that "data" points to the internal structure, and so "skid"
> should not be freed until I'm done with "data"?
Correct. The "data" element is part of the ASN1_STRING (of type
> 1 - Am I correct that "data" points to the internal structure, and so "skid"
> should not be freed until I'm done with "data"?
ASN1_OCTET_STRING).
> 2 - For my education, I thought that d2i calls converted from DER to openssl
> internal format. Yet, the input "subject" is an X509*, the internal format.
they are stored in DER form, and you need to extract them via suitable
decoding routines.
> 3 - Are these calls documented? They're not in my usual starting point
>
> https://www.openssl.org/docs/man1.0.1/crypto/
>
> nor are they on the X509 page.
documented. There's a tiny example in
doc/HOWTO/proxy_certificates.txt
but it does not amount to documentation of the interface.
If you're really feeling generous, write the document.
The underlying interface is in crypto/x509v3/v3_lib.c:
/*-
* Get critical flag and decoded version of extension from a NID.
* The "idx" variable returns the last found extension and can
* be used to retrieve multiple extensions of the same NID.
* However multiple extensions with the same NID is usually
* due to a badly encoded certificate so if idx is NULL we
* choke if multiple extensions exist.
* The "crit" variable is set to the critical value.
* The return value is the decoded extension or NULL on
* error. The actual error can have several different causes,
* the value of *crit reflects the cause:
* >= 0, extension found but not decoded (reflects critical value).
* -1 extension not found.
* -2 extension occurs more than once.
*/
void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
int *idx)
Only certain "standard" extensions have default "d2i" methods. The list
is in:
static const X509V3_EXT_METHOD *standard_exts[]
in the same file, but some legacy NetScape extensions are
defined in crypto/x509v3/v3_ia5.c:
const X509V3_EXT_METHOD v3_ns_ia5_list[]
--
Viktor.
0 new messages