On Wed, Jun 04, 2003, [EMAIL PROTECTED] wrote: > Per Dr. Henson's suggestion I've been writing some code for Apache mod_ssl > in order to determine the certificate class for our corporate PKI certs that > have the Certificate Policy attribute. > > I've had some odd results and wanted to see if anyone can clarify for me. > > I was unable to find the Certificate Policy extension in the X509 object > using X509_get_ext_d2i(xs, NID_certificate_policy, NULL, NULL) or any > permutation thereof - it consistantly indicated that the extension was not > found. Of course since it's a v3 extension, > X509v3_get_ext_by_NID(xs->cert_info->extensions, NID_certificate_policies, > -1) is more helpful and does return the index by which I can obtain the > X509_EXTENSION object. >
Well all certificate extensions are V3. You shouldn't call X509v3_get_ext_by_NID directly with certificate structure internals, X509_get_ext_by_NID should be used instead. > However, I have been unsuccessful in using that returned object - all the > fields of both of these appear to be identical between my two different > certs. Are there any other objects that would be helpful for me to examine > that I am missing? Neither the X509_EXTENSION nor the associated > ASN1_OBJECT seem to contain the information I'm looking for (policy OID or > user notice info). What am I missing to dereference the extension to a > POLICYINFO object? > Well that's because if you call just lookup extensions via X509_get_ext_by_NID you always get an X509_EXTENSION structure, you'd have to parse the contents manually. Anyway, you shouldn't need to do any of that, X509_get_ext_d2i() should do it all for you, you should use the NID NID_certificate_policies. If it isn't working then there's a bug somewhere, either in your usage of the function, the certificate or OpenSSL itself. Can you send me a sample certificate where it appears not to work? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
