Re: Trying to get URI of CRL from certificate extension

2011-05-27 Thread Eric S. Eberhard 

Does fail mean?  Core dump?

Whether it does or not, it us generally good practice to make sure 
those pointers are not null unless you are certain the functions can 
never return a bad value.  Also, for debugging, if you break it down 
then you can get the individual results with print statements and see 
what is failing.


Finally as a general comment on coding -- statements like that val= 
generally have two effects:


1) the outcome can be confusing.  I once had two programmers working 
for me with a complex statement like that (setting things, calling 
things, etc, all on one line) and precedence and all kinds of things 
came up ... so they were arguing over various possible results.  I 
told them the most likely result of a programmer leaving me code that 
two smart programmers have to argue over it's meaning is termination 
of employment :-)  Make code human readable by the dumbest 
programmers (like perhaps your boss ;-) )


2) It is less efficient.  Depending on the platform, can be 
considerably.  Compilers try to optimize.  If the statement is really 
complex it does not optimize the line.  Processors read ahead and 
execute statements when the situation makes it possible (AIX does 
this very well) ... again, too complex, it cannot do that.  As an 
aside, those that read ahead always assume a test evaluates to true, 
so all conditional statements should have the most likely code 
first.  Of course, this assumes performance is that important.


Rough code should be:

if (!meth-d2i)
/* error handling */
if (!meth-i2v)
/* error handling */

ptr = d2i(0, data, ext-value-length);
printf(ptr1=%x\r\n);
if (!ptr)   /* or some other illegal 
value if int or ??? */

/* error handling */
ptr = i2v(meth, meth-ptr, 0);
printf(ptr2=%x\r\n);
if (!ptr)   /* or some other illegal value */
/* error handling */
val = meth-ptr;

Of course I don't really know if those are pointers or what so very 
rough. They could be int or whatever, but the above code allows you 
to print the intermediate values.  And likely has mistakes since I 
slapped it out.


My point is reducing the number of lines with compound statements is 
harder for humans and computers to understand and leaves you no easy 
way to check intermediate values and debug.


Eric



At 11:57 PM 5/26/2011, you wrote:

Hi,

I am trying to get URI of the CRL from certificate extension using 
below function:


static char *get_distribution_point(X509 *cert) {
  int   extcount, i, j;
  const char*extstr;
  CONF_VALUE*nval;
  unsigned char *data;
  X509_EXTENSION*ext;
  X509V3_EXT_METHOD *meth;
  STACK_OF(CONF_VALUE)  *val;

  if ((extcount = X509_get_ext_count(cert))  0) {
for (i = 0; i  extcount; i++) {
  ext = X509_get_ext(cert, i);
  extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
  if (strcasecmp(extstr, crlDistributionPoints)) continue;

  if (!(meth = X509V3_EXT_get(ext))) break;
  data = ext-value-data;
  val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);
  for (j = 0;  j  sk_CONF_VALUE_num(val);  j++) {
nval = sk_CONF_VALUE_value(val, j);
if (!strcasecmp(nval-name, URI))
  return strdup(nval-value);
  }
}
  }
  return 0;
}



Above function fails at
val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);

Any suggestions ?

Please help

Thanks  Regards,
Akash Deo



Eric S. Eberhard
(928) 567-3727  Voice
(928) 567-6122  Fax
(928) 301-7537   Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Supporthttp://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547id=1409661701l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771id=1409661701l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827id=1409661701

(You can see why we love this state :-) )








__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Trying to get URI of CRL from certificate extension

2011-05-27 Thread Yan, Bob 
Hi Akash,

I have encountered the same issue as you mentioned in your email but I still 
haven't figured out the cause of the failure. However, after I replaced d2i(0, 
data, ext-value-length) function with X509V3_EXT_d2i(ext), the problem was 
gone.

Regards
Bob




From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Akash Deo
Sent: Thursday, May 26, 2011 11:57 PM
To: openssl-users@openssl.org
Subject: Trying to get URI of CRL from certificate extension

Hi,

I am trying to get URI of the CRL from certificate extension using below 
function:

static char *get_distribution_point(X509 *cert) {
  int   extcount, i, j;
  const char*extstr;
  CONF_VALUE*nval;
  unsigned char *data;
  X509_EXTENSION*ext;
  X509V3_EXT_METHOD *meth;
  STACK_OF(CONF_VALUE)  *val;

  if ((extcount = X509_get_ext_count(cert))  0) {
for (i = 0; i  extcount; i++) {
  ext = X509_get_ext(cert, i);
  extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
  if (strcasecmp(extstr, crlDistributionPoints)) continue;

  if (!(meth = X509V3_EXT_get(ext))) break;
  data = ext-value-data;
  val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);
  for (j = 0;  j  sk_CONF_VALUE_num(val);  j++) {
nval = sk_CONF_VALUE_value(val, j);
if (!strcasecmp(nval-name, URI))
  return strdup(nval-value);
  }
}
  }
  return 0;
}



Above function fails at
val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);

Any suggestions ?

Please help

Thanks  Regards,
Akash Deo

Re: Trying to get URI of CRL from certificate extension

2011-05-27 Thread Dr. Stephen Henson 
On Fri, May 27, 2011, Akash Deo wrote:

 Hi,
 
 I am trying to get URI of the CRL from certificate extension using below
 function:
 
 static char *get_distribution_point(X509 *cert) {
   int   extcount, i, j;
   const char*extstr;
   CONF_VALUE*nval;
   unsigned char *data;
   X509_EXTENSION*ext;
   X509V3_EXT_METHOD *meth;
   STACK_OF(CONF_VALUE)  *val;
 
   if ((extcount = X509_get_ext_count(cert))  0) {
 for (i = 0; i  extcount; i++) {
   ext = X509_get_ext(cert, i);
   extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
   if (strcasecmp(extstr, crlDistributionPoints)) continue;
 
   if (!(meth = X509V3_EXT_get(ext))) break;
   data = ext-value-data;
   val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);
   for (j = 0;  j  sk_CONF_VALUE_num(val);  j++) {
 nval = sk_CONF_VALUE_value(val, j);
 if (!strcasecmp(nval-name, URI))
   return strdup(nval-value);
   }
 }
   }
   return 0;
 }
 
 
 
 Above function fails at
 val = meth-i2v(meth, meth-d2i(0, data, ext-value-length), 0);
 
 Any suggestions ?
 

There are some code examples like that in a few places, these
took code from OpenSSL internals and when those internals changed they
stopped working.

The correct and portable way to get an extension from a certificate is by
using X509_get_ext_d2i(): you can replace most of the above with that. This
function is documented albeit in doc/openssl.txt

You get back a STACK_OF(DIST_POINT) for that extension which you can then
analyse to extract a URI. Note that there can be multiple URIs and additional
information in CRLDP.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org