## Application accessing 'ex_kusage' ##

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

## Application accessing 'ex_kusage' ##

Narayana, Sunil Kumar

Hi ,

                We are porting our Application from  openssl 1.0.1 to openssl 3.0. in related to this activity we require to access the variable ‘ex_kusage’ pointed by X509

But there are no set utilities available to access this variable. Only  X509_get_key_usage Is available.

 

Our code for 1.0.1 is as below. Please suggest the right way to achieve this.

 

    ASN1_BIT_STRING *usage;

662     x509->ex_kusage = 0;

663

664     if((usage=(ASN1_BIT_STRING *)X509_get_ext_d2i(x509, NID_key_usage, NULL, NULL)))

665     {

666         if(usage->length > 0)

667         {

668             x509->ex_kusage = usage->data[0];

669             if(usage->length > 1)

670                 x509->ex_kusage |= usage->data[1] << 8;

671         }

672         else

673             x509->ex_kusage = 0;

674         ASN1_BIT_STRING_free(usage);

675     }

 

Regards,

Sunil




Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments.
Reply | Threaded
Open this post in threaded view
|

Re: ## Application accessing 'ex_kusage' ##

Matt Caswell-2


On 13/11/2020 19:10, Narayana, Sunil Kumar wrote:

> Hi ,
>
>                 We are porting our Application from  openssl 1.0.1 to
> openssl 3.0. in related to this activity we require to access the
> variable ‘*ex_kusage*’ pointed by *X509*
>
> But there are no set utilities available to access this variable. Only
>  X509_get_key_usage Is available.
>
>  
>
> Our code for 1.0.1 is as below. Please suggest the right way to achieve
> this.

I'd like to ask why you feel you need to do this at all. It seems to me
like you are replicating libcrypto internal code in your own
application. This is code in libcrypto:

    /* Handle (basic) key usage */
    if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL)) != NULL) {
        x->ex_kusage = 0;
        if (usage->length > 0) {
            x->ex_kusage = usage->data[0];
            if (usage->length > 1)
                x->ex_kusage |= usage->data[1] << 8;
        }
        x->ex_flags |= EXFLAG_KUSAGE;
        ASN1_BIT_STRING_free(usage);
        /* Check for empty key usage according to RFC 5280 section
4.2.1.3 */
        if (x->ex_kusage == 0) {
            ERR_raise(ERR_LIB_X509, X509V3_R_EMPTY_KEY_USAGE);
            x->ex_flags |= EXFLAG_INVALID;
        }
    } else if (i != -1) {
        x->ex_flags |= EXFLAG_INVALID;
    }

So it seems very similar to what you are trying to do, and I guess some
earlier version of this code was the original source of what is in your
application now.

The purpose of this code is to decode the key usage extension and cache
it in the internal `ex_flags` value. This code gets called in numerous
code paths whenever we need to query extension data - including if you
were to call X509_get_key_usage().

Your application seems to want to manage for itself when libcrypto does
this caching. It should not need to do so - it's entirely internal. My
guess is that, perhaps, in some older version of OpenSSL the caching
didn't happen when it was supposed to and you implemented this
workaround?? Or possibly the workaround is still needed due to a bug in
OpenSSL that still doesn't do the caching when needed? If so I'd like to
understand the circumstances behind that.

Matt