On Fri, May 27, 2011, Akash Deo wrote:
> Hi,
>
> I am trying to get URI of the CRL from certificate extension using below
> function:
>
> static char *get_distribution_point(X509 *cert) {
> int extcount, i, j;
> const char *extstr;
> CONF_VALUE *nval;
> unsigned char *data;
> X509_EXTENSION *ext;
> X509V3_EXT_METHOD *meth;
> STACK_OF(CONF_VALUE) *val;
>
> if ((extcount = X509_get_ext_count(cert)) > 0) {
> for (i = 0; i < extcount; i++) {
> ext = X509_get_ext(cert, i);
> extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
> if (strcasecmp(extstr, "crlDistributionPoints")) continue;
>
> if (!(meth = X509V3_EXT_get(ext))) break;
> data = ext->value->data;
> val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
> for (j = 0; j < sk_CONF_VALUE_num(val); j++) {
> nval = sk_CONF_VALUE_value(val, j);
> if (!strcasecmp(nval->name, "URI"))
> return strdup(nval->value);
> }
> }
> }
> return 0;
> }
>
>
>
> Above function fails at
> val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
>
> Any suggestions ?
>
There are some code examples like that in a few places, these
took code from OpenSSL internals and when those internals changed they
stopped working.
The correct and portable way to get an extension from a certificate is by
using X509_get_ext_d2i(): you can replace most of the above with that. This
function is documented albeit in doc/openssl.txt
You get back a STACK_OF(DIST_POINT) for that extension which you can then
analyse to extract a URI. Note that there can be multiple URIs and additional
information in CRLDP.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
