Hi,
The following patch adds a new option, '-ext_print' to the x509
program which prints out the x509v3 extensions included in a
certificate. The use case for this patch is that for users which use
the command line program to parse and analyze certificates, it is
useful to get the raw extensions to evaluate whether the certificate
is correct for it's planned usage. The only way to programmatically do
this without my patch is to print the entire certificate using the
'-text' option then use a scripting tool such as perl or sed/awk to
extract the extensions from the output.
There are similar options available for other certificate fields
(ocsp_uri, validity dates etc), so this change does not seem to go
against the general philosophy of the program output.
I've tested this patch against 0.9.8k and 1.0.0beta 3.
Thanks,
Walter Goulet
--- ../../openssl-1.0.0-beta3/apps/x509.c 2009-07-14
11:14:39.000000000 -0400
+++ x509.c 2009-09-24 23:52:32.000000000 -0400
@@ -107,6 +107,7 @@
" -startdate - notBefore field\n",
" -enddate - notAfter field\n",
" -purpose - print out certificate purposes\n",
+" -ext_print - print out certificate extensions\n",
" -dates - both Before and After dates\n",
" -modulus - print the RSA key modulus\n",
" -pubkey - output the public key\n",
@@ -181,6 +182,7 @@
int subject_hash=0,issuer_hash=0,ocspid=0;
int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
int ocsp_uri=0;
+ int ext_print=0;
int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
int C=0;
int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
@@ -382,6 +384,8 @@
email= ++num;
else if (strcmp(*argv,"-ocsp_uri") == 0)
ocsp_uri= ++num;
+ else if (strcmp(*argv,"-ext_print") == 0)
+ ext_print= ++num;
else if (strcmp(*argv,"-serial") == 0)
serial= ++num;
else if (strcmp(*argv,"-next_serial") == 0)
@@ -735,6 +739,28 @@
ASN1_INTEGER_free(ser);
BIO_puts(out, "\n");
}
+ else if (ext_print == i)
+ {
+ X509_EXTENSION* ext = NULL;
+ ASN1_OBJECT* extobj = NULL;
+ int critical = 0;
+ int count =
X509v3_get_ext_count(x->cert_info->extensions);
+ int j=0;
+ for(j = 0; j < count; j++)
+ {
+ ext = X509_get_ext(x,j);
+ extobj =
X509_EXTENSION_get_object(ext);
+ critical =
X509_EXTENSION_get_critical(ext);
+ i2a_ASN1_OBJECT(STDout,extobj);
+ if(critical)
+
BIO_printf(STDout,"%s","(Critical)\n");
+ else
+ BIO_printf(STDout,"\n");
+
X509V3_EXT_print(STDout,ext,nmflag,certflag + 4);
+ BIO_printf(STDout,"\n");
+ }
+
+ }
else if ((email == i) || (ocsp_uri == i))
{
int j;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
