On Mon, Jun 05, 2006, Stefan Vatev wrote: > What I want is only the nonce, not the whole ASN1 structure. > I don't know which is the best way to parse it. > > > First, I get the X509_EXTENSION from the OCSP_RESPONSE > > bs = OCSP_response_get1_basic(response) > > resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, > NID_id_pkix_OCSP_Nonce, -1) > > resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx) > > Then I tried to use : > BIO* bio = BIO_new(BIO_s_mem()); > ASN1_STRING_print(bio, resp_ext->value); > > But what I've got is the whole ASN1 structure, not only the > nonce itself. > > The only solution I've thought of is in the following lines > : > > > const unsigned char* p = resp_ext->value->data; > int tag; > int xclass; > long len; > ASN1_get_object(&p,&len,&tag,&xclass, > resp_ext->value->length); > > > Then p points to the real nonce and len is its length. > > resp_ext->value->length - len == the length of the ASN1 tag > preceding the nonce > > > Is this a good solution? I think that ASN1_get_object is a > too low level function and I think there should be a better > solution. >
Well you should note that the nonce is handled as raw data because the specs didn't make it clear that the nonce should be an OCTET STRING embedded in the extension value. So OpenSSL treats it as an opaque structure when it is parsed and just compares the whole encoding. When it produces a nonce it makes sure it is an OCTET STRING. Some OCSP clients would send raw unformatted random data in the OCSP nonce extension value so OpenSSL does this for interoperability reasons. So arguably the nonce is the extension value. However if you want the octet string contents just call d2i_ASN1_OCTET_STRING() on the extension value. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
