Tried the following:
POLICYINFO *cp;
if ((cp = X509_get_ext_d2i(xs, NID_certificate_policies, NULL, NULL)) ==
NULL)
return "NoCP";And it does indeed return NULL and thus "NoCP", even when X509_get_ext_by_NID does return a valid X509_EXTENSION object. Attached is the client cert I am using as captured from the SSL_CLIENT_CERT environment variable through a CGI script. openssl x509 -text -noout does print the Certificate Policy extension. --------------------------------- Justin Wienckowski Intranet Team Northrop Grumman Mission Systems 703.345.6663 (Work) 571.437.2064 (Cell) [EMAIL PROTECTED] > -----Original Message----- > From: Dr. Stephen Henson [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 04, 2003 11:47 AM > To: [EMAIL PROTECTED] > Subject: Re: X509 Extension Parsing > > > On Wed, Jun 04, 2003, [EMAIL PROTECTED] wrote: > > > Per Dr. Henson's suggestion I've been writing some code for > Apache mod_ssl > > in order to determine the certificate class for our > corporate PKI certs that > > have the Certificate Policy attribute. > > > > I've had some odd results and wanted to see if anyone can > clarify for me. > > > > I was unable to find the Certificate Policy extension in > the X509 object > > using X509_get_ext_d2i(xs, NID_certificate_policy, NULL, > NULL) or any > > permutation thereof - it consistantly indicated that the > extension was not > > found. Of course since it's a v3 extension, > > X509v3_get_ext_by_NID(xs->cert_info->extensions, > NID_certificate_policies, > > -1) is more helpful and does return the index by which I > can obtain the > > X509_EXTENSION object. > > > > Well all certificate extensions are V3. You shouldn't call > X509v3_get_ext_by_NID directly with certificate structure internals, > X509_get_ext_by_NID should be used instead. > > > > However, I have been unsuccessful in using that returned > object - all the > > fields of both of these appear to be identical between my > two different > > certs. Are there any other objects that would be helpful > for me to examine > > that I am missing? Neither the X509_EXTENSION nor the associated > > ASN1_OBJECT seem to contain the information I'm looking for > (policy OID or > > user notice info). What am I missing to dereference the > extension to a > > POLICYINFO object? > > > > Well that's because if you call just lookup extensions via > X509_get_ext_by_NID > you always get an X509_EXTENSION structure, you'd have to > parse the contents > manually. > > Anyway, you shouldn't need to do any of that, > X509_get_ext_d2i() should do it > all for you, you should use the NID NID_certificate_policies. > > If it isn't working then there's a bug somewhere, either in > your usage of the > function, the certificate or OpenSSL itself. Can you send me a sample > certificate where it appears not to work? > > Steve. > -- > Dr Stephen N. Henson. > Core developer of the OpenSSL project: http://www.openssl.org/ > Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ > Email: [EMAIL PROTECTED], PGP key: via homepage. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] >
Wienckowski, Justin.vcf
Description: Binary data
client_cert.pem
Description: Binary data
smime.p7s
Description: S/MIME cryptographic signature
