Re: OCSP url from X509 extension

Sun, 26 Nov 2006 06:06:19 -0800

Great thx again for you advice. If someone suffers the same problem of retrieving the OCSP URI from a X509 my code can be found here. 

char* get_OCSPlocation_from_X509(X509* cert, char** urls)
{
        BIO* mem=NULL;
        ACCESS_DESCRIPTION* ad=NULL;
        STACK_OF(ACCESS_DESCRIPTION)* ads=NULL;
        int adsnum;
        int crit;
        int idx;
        int i;

        if(!cert||!urls)
                return NULL;

        *urls=NULL;

        mem=BIO_new(BIO_s_mem());
        if(!mem)
                goto cleanup;

        crit=0;
        idx=0;
ads=(STACK_OF(ACCESS_DESCRIPTION)*)X509_get_ext_d2i(cert, NID_info_access, &crit, &idx); 
        if(!ads)
                goto cleanup;

        adsnum=sk_ACCESS_DESCRIPTION_num(ads);

        for(i=0; i<adsnum; i++)
        {
                ad=sk_ACCESS_DESCRIPTION_value(ads, i);
                if(!ad)
                        continue;

                if(OBJ_obj2nid(ad->method)==NID_ad_OCSP)
                {
                        if(GENERAL_NAME_print(mem, ad->location)<=0)
                                goto cleanup;

                        BIO_write(mem, "\0", 1);
                }
        }

        BIO_write(mem, "\0\0", 2);
        BIO_flush(mem);

        BIO_get_mem_data(mem, urls);
        BIO_set_close(mem, BIO_NOCLOSE);


cleanup:

        if(ads)
                sk_ACCESS_DESCRIPTION_free(ads);

        if(mem)
                BIO_free(mem);

        return *urls;
}
The function returns all ocsp urls found within a certificate, the output has the follow syntax: 

char* url=
URL1\0
URL2\0
URLn\0
\0\0

Michael




On Nov 24, 2006, at 6:52 PM, Dr. Stephen Henson wrote:


On Fri, Nov 24, 2006, Michael Stephan wrote:


Hallo,

is it possible (i know it is but not to me at the moment ): ), to
"easily" retrieve the OCSP URI from a X509 v3 certificate extension
list?

X509v3 extensions:
..
Authority Information Access:
        OCSP: URI:http:http://ocsp.com
..

Would be great if you can help me with a tiny code snippet.



While not trivial it is relatively straight forward. You first need to
retrieve the AIA extension using X509_get_ext_d2i().
The retrieved structure is a STACK_OF(ACCESS_DESCRIPTION). You look through that for a method which matches the OCSP OID and the URI (assuming it is 
the correct type) is in the "location" field.
Actually it makes sense to have a function to do this so the 'ocsp' utility 
can automatically use the correct URI. I'll look into adding one.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to