Hello, ok, what I did so far is get the extension by OID. At least I know by now, whether the extension is present or not:
[...] X509 *client_cert = X509_STORE_CTX_get_current_cert(ctx); const char *admoid = "1.3.36.8.3.3"; ASN1_OBJECT *admobj = NULL; X509_EXTENSION *admext = NULL; int extpos; admobj = OBJ_txt2obj(admoid, 0); if (admobj) { extpos = X509_get_ext_by_OBJ(client_cert, admobj,-1); if (extpos) admext = X509_get_ext(client_cert, extpos); if (!admext) { ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn, "MWDE/nm: Extension '%s' (admission) not found in cert!", admoid); ok = FALSE; [...] Testing is positive: The extension is found by mod_ssl. But now I need to read and compare the field professionOID (see specs in my initial post). So welcome to asn1 parsing, I guess (because I'm not really familiar with that, I can only guess)... Any help welcome, as usual. :) Mit freundlichen Grüßen / Kind regards Natanael Mignon ________________________________ Von: Natanael Mignon - michael-wessel.de Gesendet: Dienstag, 18. August 2009 16:13 An: openssl-users@openssl.org Betreff: Accessing unknown certificate extensions by OID Dear list, another trial. ;) We need to validate the existence and value of an X.509 extension in a client certificate from within Apache/mod_ssl. The extension "Admission" is described by ISIS-MTT and has OID 1.3.36.8.3.3: AdmissionSyntax ::= SEQUENCE { admissionAuthority GeneralName OPTIONAL, contentsOfAdmissions SEQUENCE OF Admissions } Admissions ::= SEQUENCE { admissionAuthority [0] EXPLICIT GeneralName OPTIONAL, namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL, professionInfos SEQUENCE OF ProfessionInfo } NamingAuthority ::= SEQUENCE { namingAuthorityId OBJECT IDENTIFIER OPTIONAL, namingAuthorityUrl IA5String OPTIONAL, namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL} ProfessionInfo ::= SEQUENCE { namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL, professionItems SEQUENCE OF DirectoryString (SIZE(1..128)), professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL, registrationNumber PrintableString(SIZE(1..128)) OPTIONAL, addProfessionInfo OCTET STRING OPTIONAL } This does not exactly match what I found here: http://vijairaj.blogspot.com/2009/01/parsing-and-using-custom-extension-in.html, but is taken from the exact specifications we need to comply to. This extension is not known to our OpenSSL version (0.9.8d) and I don't think later versions do know it?! Furthermore, the suggested code at the abovementioned article does not really fit into mod_ssl and I am hesitating to customize OpenSSL itself as well now. It should be possible to read and parse the extension by using ASN1 functions without defining the whole extension for OpenSSL, as it can be displayed with it's OID and raw data by "openssl asn1parse -in <cert>", I think? What I am looking for is a feasible approach to doing so from within mod_ssl. Any help appreciated! In other news: what I achieved already is validating the certificate's signing algorithm and keylength, it's ExtendedKeyUsage data, the signing algorithm and the producedAt date of the OCSP response from within mod_ssl - if anybody is interested... I also 'fixed' the receipt of the actual OCSP response, which failed, if their was an empty line read at the beginning of the response, maybe due to a lag in traffic... (not valid code style according to Apache/httpd, I guess :( ). Mit freundlichen Grüßen / Kind regards Natanael Mignon IT - beraten | planen | umsetzen | betreiben __________________________________________________________________________ michael-wessel.de Informationstechnologie GmbH Krausenstraße 50 30171 Hannover Germany fon (+49) 511 260 911-0 (DW -13) fax (+49) 511 318 039-9 eMail n...@michael-wessel.de web www.michael-wessel.de Geschäftsführer: Michael Wessel Dipl. Phys. Amtsgericht Hannover HR B 59031 Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder Markennamen der jeweiligen Hersteller. Angebote freibleibend, Irrtümer und Druckfehler vorbehalten. Lieferung vorbehaltlich ausreichender Selbstbelieferung. © 2009 michael-wessel.de ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org