X509 Certificate : Need help to retrieve " Extended Key Usage" filed from the certificate

[Puneet Khunteta]

Hello,

I am an user of openssl library.
I am seeking for a method to get the "Extended Key Usage" field from the X509 certificate .
I will be grateful if you can provide me a sample code in c.

Thanks
Puneet K.

[Sukalp Bhople]

Hi,

You will have to go through Openssl source code.

Have a look at following files:

1. x509_v3.c (around line 74), You will find the following method:

int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,

 int lastpos)

{

ASN1_OBJECT *obj;

obj=OBJ_nid2obj(nid);

if (obj == NULL) return(-2);

return(X509v3_get_ext_by_OBJ(x,obj,lastpos));

}

Hope this helps.

--

Regards,

Sukalp Bhople.

[Dr. Stephen Henson]

On Wed, Jul 25, 2012, Puneet Khunteta wrote:

> Hello,
>
> I am an user of openssl library.
> I am seeking for a method to get the "Extended Key Usage" field from the
> X509 certificate .
> I will be grateful if you can provide me a sample code in c.
>

You can retrieve a structure representing any supported extension using the
function X509_get_ext_d2i. In the case of EKU you get back a
STACK_OF(ASN1_OBJECT) which you can then examine.

Have a look in the function x509v3_cache_extension in crypto/x509v3/v3_purp.c
for an example.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Puneet Khunteta]

Hello Sukalp,

I have tried to use the code snippet provided by use . I am able to create the ASN_object and get the data also.but the data is not in readable form.

I use X509 instead of X509V3.

Here is the code that i have used :

Ret = X509_get_ext_by_NID(cert, field_NID, 0);       
        if ((Ret > 0) && (ext = X509_get_ext(cert, Ret)))
        {
           
            ASN1_OBJECT *obj;

            obj=OBJ_nid2obj(field_NID);

            if (obj == NULL) return(-2);

            return(X509_get_ext_by_OBJ(cert,obj,0));
        }
The object snippet that i have found is


Please help me to get the data in readable format.

Regards.
Puneet

On Wed, Jul 25, 2012 at 12:37 PM, Sukalp Bhople <bsu...@gmail.com> wrote:

Hi,

You will have to go through Openssl source code.

Have a look at following files:

1. x509_v3.c (around line 74), You will find the following method:

int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid,

 int lastpos)

{

ASN1_OBJECT *obj;

obj=OBJ_nid2obj(nid);

if (obj == NULL) return(-2);

return(X509v3_get_ext_by_OBJ(x,obj,lastpos));

}

Hope this helps.

On Wed, Jul 25, 2012 at 7:08 AM, Puneet Khunteta <khuntet...@gmail.com> wrote:

Hello,

I am an user of openssl library.
I am seeking for a method to get the "Extended Key Usage" field from the X509 certificate .
I will be grateful if you can provide me a sample code in c.

Thanks
Puneet K.

--

Regards,

Sukalp Bhople.

[Saurabh Pandya]

On 7/26/12, Puneet Khunteta <khuntet...@gmail.com> wrote:
> Hello Sukalp,
>
> I have tried to use the code snippet provided by use . I am able to create
> the ASN_object and get the data also.but the data is not in readable form.
>
> I use X509 instead of X509V3.
>
> Here is the code that i have used :
>

> *Ret = X509_get_ext_by_NID(cert, field_NID, 0);

> if ((Ret > 0) && (ext = X509_get_ext(cert, Ret)))

Try to use X509_get_ext_d2i instead

> {

>
> ASN1_OBJECT *obj;
>
> obj=OBJ_nid2obj(field_NID);
> if (obj == NULL) return(-2);
> return(X509_get_ext_by_OBJ(cert,obj,0));

> }*

> The object snippet that i have found is
>
>

>> *Sukalp Bhople.*

[Puneet Khunteta]

Same Status !!
Regards,
Puneet

[Puneet Khunteta]

Hello Stephen,

On using the suggestion provided by you , got the following output snippet


It shows extusage->data Empty.

Regards,
Puneet

On Wed, Jul 25, 2012 at 4:01 PM, Dr. Stephen Henson <st...@openssl.org> wrote:

On Wed, Jul 25, 2012, Puneet Khunteta wrote:

> Hello,
>
> I am an user of openssl library.
> I am seeking for a method to get the "Extended Key Usage" field from the
> X509 certificate .
> I will be grateful if you can provide me a sample code in c.
>

You can retrieve a structure representing any supported extension using the
function X509_get_ext_d2i. In the case of EKU you get back a
STACK_OF(ASN1_OBJECT) which you can then examine.

Have a look in the function x509v3_cache_extension in crypto/x509v3/v3_purp.c
for an example.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

[Hasan, Rezaul (NSN - US/Arlington Heights)]

Hi All,

 

I have created a self-signed CA certificate, a Client certificate and a Server certificate. I signed the Client and Server certificates with the self-signed CA certificate and placed all certs in the appropriate locations. Then attempted to create an SSL connection with ‘openssl s_client ….’ ,  and get  this

 

Verify return code: 19 (self signed certificate in certificate chain)

 

Is this an error indicating that the SSL connection failed, or is it simply a “warning” ? I am guessing its just a warning, but wanted to confirm…

 

[root@eLite1 CERT]# openssl s_client -connect 80.1.0.1:443 -ssl3 -cert client.crt -key client.key -CApath /root/CERT

CONNECTED(00000003)

depth=1 /C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain

0 s:/C=US/ST=TX/L=FTW/O=NSN/CN=80.1.0.1

   i:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

1 s:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

   i:/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFBjCCAu4CAQEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxCzAJBgNV

 

...

 

PZ6ww2xA989bF2G1zvHwJZsdSJOCuz/ueZ760XTdhPy8PCPbU+W9JNpv

-----END CERTIFICATE-----

subject=/C=US/ST=TX/L=FTW/O=NSN/CN=80.1.0.1

issuer=/C=US/ST=TX/L=FTW/O=NSN/CN=82.1.0.1

---

No client certificate CA names sent

---

SSL handshake has read 2998 bytes and written 709 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 4096 bit

Compression: zlib compression

Expansion: zlib compression

SSL-Session:

    Protocol  : SSLv3

    Cipher    : AES256-SHA

    Session-ID: E09D355918C3C05C10A4B7E41BA223EA5F43A725457FB14470F727F1FE447ECD

    Session-ID-ctx:

    Master-Key: CCB3A02A4D9F090F140EFF30D18E5E82F653C77C8A66A439F4AA3E1F485713043F4AE0BEFFEB97F98D470DFD10554A20

    Key-Arg   : None

    Krb5 Principal: None

   Compression: 1 (zlib compression)

    Start Time: 1343273949

    Timeout   : 7200 (sec)

    Verify return code: 19 (self signed certificate in certificate chain)

---

closed

 

 

[Dave Thompson]

>From: owner-ope...@openssl.org On Behalf Of Hasan, Rezaul (NSN -
US/Arlington Heights)
>Sent: Thursday, 26 July, 2012 12:02

>I have created a self-signed CA certificate, a Client certificate and a
>Server certificate. I signed the Client and Server certificates with
>the self-signed CA certificate and placed all certs in the appropriate
>locations. Then attempted to create an SSL connection with

>'openssl s_client ..' , and get this

>Verify return code: 19 (self signed certificate in certificate chain)

>Is this an error indicating that the SSL connection failed, or is it simply

>a "warning" ? I am guessing its just a warning, but wanted to confirm.

For s_client, it's a warning. s_client overrides verify errors and
allows you to continue. Most real apps don't do this and shouldn't,
so for real apps this will probably be fatal.

>... -cert client.crt -key client.key -CApath /root/CERT

Did you put your CA cert in /root/CERT >with a symlink from
$subjecthash.$seq,
or if you prefer directly under that name<? If not, OpenSSL won't find it.

Alternatively, use -CAfile with all your roots (perhaps only one) in a file.

[Puneet Khunteta]

any Update ?

regards,
Puneet

On Thu, Jul 26, 2012 at 4:27 PM, Puneet Khunteta <khuntet...@gmail.com> wrote:

Hello Stephen,

On using the suggestion provided by you , got the following output snippet


It shows extusage->data Empty.

Regards,
Puneet

On Wed, Jul 25, 2012 at 4:01 PM, Dr. Stephen Henson <st...@openssl.org> wrote:

On Wed, Jul 25, 2012, Puneet Khunteta wrote:

> Hello,
>
> I am an user of openssl library.
> I am seeking for a method to get the "Extended Key Usage" field from the
> X509 certificate .
> I will be grateful if you can provide me a sample code in c.
>

You can retrieve a structure representing any supported extension using the
function X509_get_ext_d2i. In the case of EKU you get back a
STACK_OF(ASN1_OBJECT) which you can then examine.

Have a look in the function x509v3_cache_extension in crypto/x509v3/v3_purp.c
for an example.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

[Hasan, Rezaul (NSN - US/Arlington Heights)]

Great. Thank You :-)

[Dr. Stephen Henson]

On Fri, Jul 27, 2012, Puneet Khunteta wrote:

> any Update ?
>
> regards,
> Puneet
>
> On Thu, Jul 26, 2012 at 4:27 PM, Puneet Khunteta
> <khuntet...@gmail.com>wrote:
>
> > Hello Stephen,
> >
> > On using the suggestion provided by you , got the following output snippet
> >
> >

> > It shows extusage->data Empty.
> >

It's not clear what you are doing. You should get back a STACK_OF(ASN1_OBJECT)
and examine it with sk_ASN1_OBJECT_num(extusage) and
sk_ASN1_OBJECT_value(extusage, index).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org