Here is what i am
trying to do...
Config file has
these lines:
[ CA_default
]
..
x509_extensions = usr_cert
[ usr_cert
]
basicConstraints=CA:FALSE
keyUsage =
digitalSignature, keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
#
Certificate Policies
certificatePolicies = ia5org,@capol
certificatePolicies = ia5org,@capol
[ capol
]
#####################################################
# Generic Certificate Policies
#####################################################
[capol]
policyIdentifier=avayaCPS
CPS.1=https://www.foo.com;
# Generic Certificate Policies
#####################################################
[capol]
policyIdentifier=avayaCPS
CPS.1=https://www.foo.com;
[capoln]
explicitText="Please visit http://www.foo.com for details.";
organization="Product CA"
noticeNumbers=1
explicitText="Please visit http://www.foo.com for details.";
organization="Product CA"
noticeNumbers=1
I am using the following to read
// Read
config file
int readSSLConfigFile(char *pSSLConfigFile)
{
long errorline = -1;
int readSSLConfigFile(char *pSSLConfigFile)
{
long errorline = -1;
// Read the
config file to set up the necessary
extension
pConfig = NCONF_new(NULL);
pConfig = NCONF_new(NULL);
if(NCONF_load(pConfig, pSSLConfigFile, &errorline) <
0)
{
if(errorline <= 0)
{
// Log message Error loading config file
}
else
{
// Log message Error on line %ld of config file %s:, errorline
}
return FAILURE;
}
{
if(errorline <= 0)
{
// Log message Error loading config file
}
else
{
// Log message Error on line %ld of config file %s:, errorline
}
return FAILURE;
}
// load
openssl builtin modules
OPENSSL_load_builtin_modules();
OPENSSL_load_builtin_modules();
// load
config
if(CONF_modules_load(pConfig, NULL, 0) <= 0)
{
// log error configuring OpenSSL
return FAILURE;
}
if(CONF_modules_load(pConfig, NULL, 0) <= 0)
{
// log error configuring OpenSSL
return FAILURE;
}
// get the
section we will need, the
extensions
if((section = NCONF_get_string(pConfig, BASE_SECTION, DEFAULT_CA)) == NULL)
{
// Log config base section lookup failed
return FAILURE;
}
if((section = NCONF_get_string(pConfig, BASE_SECTION, DEFAULT_CA)) == NULL)
{
// Log config base section lookup failed
return FAILURE;
}
// Now we
need to get the extension section
pGlobalExtensions = NULL;
pGlobalExtensions = NCONF_get_string(pConfig, section, V3_EXTENSIONS);
if(!pGlobalExtensions)
{
// Log message failed to read global config file
return FAILURE;
}
else
{
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx, pConfig);
if(!X509V3_EXT_add_nconf(pConfig, &ctx, pGlobalExtensions, NULL)
)
{
// Log message Failed to load extension section %s pGlobalExtensions
return FAILURE;
}
}
return SUCCESS;
}
pGlobalExtensions = NULL;
pGlobalExtensions = NCONF_get_string(pConfig, section, V3_EXTENSIONS);
if(!pGlobalExtensions)
{
// Log message failed to read global config file
return FAILURE;
}
else
{
X509V3_CTX ctx;
X509V3_set_ctx_test(&ctx);
X509V3_set_nconf(&ctx, pConfig);
if(!X509V3_EXT_add_nconf(pConfig, &ctx, pGlobalExtensions, NULL)
)
{
// Log message Failed to load extension section %s pGlobalExtensions
return FAILURE;
}
}
return SUCCESS;
}
It fails at X509V3_EXT_add_nconf. when i comment out the line
containing the policy identifier (@capol)
it works fine.
am i missing something???
satish