4

I need to retrieve information from x509 cert to verify Key usage. For example I need to make sure certificate can be used for digital signing (80).

It can be printed out by the following code piece, but i actually want to verify if certificate has a specific property. What i need is a method like boolean certHasAbility(X509 * cert, int purpose );, where purpose can be DigitalSignature(80) or Key Encipherment(20).

STACK_OF(X509_EXTENSION) *ext_list;

ext_list = cert->cert_info->extensions;
outbio  = BIO_new_fp(stdout, BIO_NOCLOSE);

if(sk_X509_EXTENSION_num(ext_list) <= 0)
    return 1;

for (int i=0; i<sk_X509_EXTENSION_num(ext_list); i++) {
    ASN1_OBJECT *obj;
    X509_EXTENSION *ext;

    ext = sk_X509_EXTENSION_value(ext_list, i);

    obj = X509_EXTENSION_get_object(ext);
    BIO_printf(outbio, "\n");
    BIO_printf(outbio, "Object %.2d: ", i);
    i2a_ASN1_OBJECT(outbio, obj);
    BIO_printf(outbio, "\n");
    X509V3_EXT_print(outbio, ext, NULL, NULL);
    BIO_printf(outbio, "\n");
}
Konstantin Shemyak
  • 2,369
  • 5
  • 21
  • 41
Ufuk Öz
  • 51
  • 4

1 Answers1

1

I would use X509_get_ext_d2i function:

static void print_my_key_usage(X509 *cert)
{
    ASN1_BIT_STRING *usage = X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL);
    if (usage && (usage->length > 0))
    {
        if (usage->data[0] & 0x80)
            printf("digitalSignature\n");
        ....
        if (usage->data[0] & 0x08)
            printf("keyAgreement\n");
        if (usage->data[0] & 0x04)
            printf("keyCertSign\n");
        if (usage->data[0] & 0x02)
            printf("cRLSign\n");
    }
}

You can find details of bits from RFC5280. Because there can be more than 1 byte in the bit string, you need to handle it someway in your function:

boolean certHasAbility(X509 *cert, int purpose)
{
    ASN1_BIT_STRING *usage = X509_get_ext_d2i(cert, NID_key_usage, NULL, NULL);
    if (usage)
    {
        if (usage->length == 1)
        {
            return (usage->data[0] & purpose) == purpose;                
        }
        else
        {
            // TODO: handle different lengths.
        }
    }
}
Community
  • 1
  • 1
SKi
  • 8,007
  • 2
  • 26
  • 57