Re: X509 Extension Parsing

Dr. Stephen Henson Thu, 05 Jun 2003 04:10:36 -0700

On Wed, Jun 04, 2003, [EMAIL PROTECTED] wrote:

> Tried the following:
> 
> POLICYINFO *cp;
> if ((cp = X509_get_ext_d2i(xs, NID_certificate_policies, NULL, NULL)) ==
> NULL)
>         return "NoCP";
> 
> And it does indeed return NULL and thus "NoCP", even when
> X509_get_ext_by_NID does return a valid X509_EXTENSION object.
> 
> Attached is the client cert I am using as captured from the
> SSL_CLIENT_CERT environment variable through a CGI script.  
> 
> openssl x509 -text -noout does print the Certificate Policy extension.
>


The return value for NID_certificate_policies is in fact
STACK_OF(POLICYINFO) * not POLICYINFO *.

Also there's more than one reason why X509_get_ext_d2i() can return NULL. It
may be extension not found or an ASN1 parsing error.

The weird looking output from the x509 utility is a clue, that stuff is produced
when the extension is either unsupported or not parseable.

If you do:

openssl x509 -text -noout -in client_cert.pem -certopt ext_error

you'll see:

X509v3 Certificate Policies:
      <Parse Error>
1.3.6.1.4.1.311.21.10:
      <Not Supported>

that <Parse Error> means the ASN1 code found something it wasn't expecting.
Now doing:

openssl x509 -text -noout -in client_cert.pem -certopt -ext_parse 

gives:

X509v3 Certificate Policies:
  0:d=0  hl=3 l= 129 cons: SEQUENCE
  3:d=1  hl=2 l= 127 cons:  SEQUENCE
  5:d=2  hl=2 l=  11 prim:   OBJECT :1.3.6.1.4.1.16334.509.2.2
 18:d=2  hl=2 l= 112 cons:   SEQUENCE
 20:d=3  hl=2 l= 110 cons:    SEQUENCE
 22:d=4  hl=2 l=   8 prim:     OBJECT :Policy Qualifier CPS
 32:d=4  hl=2 l=  98 prim:     BMPSTRING

To cut a lot of ASN1 analysis out that last BMPSTRING should be a CPSuri
type which is defined in RFC3280 as being of type IA5String. That's
what's choking the parser.

Or to summarize: the problem is that the certificate is broken because it has
an invalid format Certificate Policies extension.

Steve.
--
DrStephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Re: X509 Extension Parsing

Reply via email to