Trying to get URI of CRL from certificate extension

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Trying to get URI of CRL from certificate extension

Akash Deo-3
Hi,

I am trying to get URI of the CRL from certificate extension using below function:

static char *get_distribution_point(X509 *cert) {
  int                   extcount, i, j;
  const char            *extstr;
  CONF_VALUE            *nval;
  unsigned char         *data;
  X509_EXTENSION        *ext;
  X509V3_EXT_METHOD     *meth;
  STACK_OF(CONF_VALUE)  *val;
  
  if ((extcount = X509_get_ext_count(cert)) > 0) {
    for (i = 0; i < extcount; i++) {
      ext = X509_get_ext(cert, i);
      extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
      if (strcasecmp(extstr, "crlDistributionPoints")) continue;
  
      if (!(meth = X509V3_EXT_get(ext))) break;
      data = ext->value->data;
      val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
      for (j = 0;  j < sk_CONF_VALUE_num(val);  j++) {
        nval = sk_CONF_VALUE_value(val, j);
        if (!strcasecmp(nval->name, "URI"))
          return strdup(nval->value);
      }
    }
  }
  return 0;
}



Above function fails at
val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);

Any suggestions ?

Please help

Thanks & Regards,
Akash Deo
Reply | Threaded
Open this post in threaded view
|

Re: Trying to get URI of CRL from certificate extension

Eric S. Eberhard-2
Does fail mean?  Core dump?

Whether it does or not, it us generally good practice to make sure
those pointers are not null unless you are certain the functions can
never return a bad value.  Also, for debugging, if you break it down
then you can get the individual results with print statements and see
what is failing.

Finally as a general comment on coding -- statements like that "val="
generally have two effects:

1) the outcome can be confusing.  I once had two programmers working
for me with a complex statement like that (setting things, calling
things, etc, all on one line) and precedence and all kinds of things
came up ... so they were arguing over various possible results.  I
told them the most likely result of a programmer leaving me code that
two smart programmers have to argue over it's meaning is termination
of employment :-)  Make code human readable by the dumbest
programmers (like perhaps your boss ;-) )

2) It is less efficient.  Depending on the platform, can be
considerably.  Compilers try to optimize.  If the statement is really
complex it does not optimize the line.  Processors read ahead and
execute statements when the situation makes it possible (AIX does
this very well) ... again, too complex, it cannot do that.  As an
aside, those that read ahead always assume a test evaluates to true,
so all conditional statements should have the most likely code
first.  Of course, this assumes performance is that important.

Rough code should be:

if (!meth->d2i)
         /* error handling */
if (!meth->i2v)
         /* error handling */

ptr = d2i(0, &data, ext->value->length);
printf("ptr1=%x\r\n");
if (!ptr)                               /* or some other illegal
value if int or ??? */
         /* error handling */
ptr = i2v(meth, meth->ptr, 0);
printf("ptr2=%x\r\n");
if (!ptr)                               /* or some other illegal value */
         /* error handling */
val = meth->ptr;

Of course I don't really know if those are pointers or what so very
rough. They could be int or whatever, but the above code allows you
to print the intermediate values.  And likely has mistakes since I
slapped it out.

My point is reducing the number of lines with compound statements is
harder for humans and computers to understand and leaves you no easy
way to check intermediate values and debug.

Eric



At 11:57 PM 5/26/2011, you wrote:

>Hi,
>
>I am trying to get URI of the CRL from certificate extension using
>below function:
>
>static char *get_distribution_point(X509 *cert) {
>   int                   extcount, i, j;
>   const char            *extstr;
>   CONF_VALUE            *nval;
>   unsigned char         *data;
>   X509_EXTENSION        *ext;
>   X509V3_EXT_METHOD     *meth;
>   STACK_OF(CONF_VALUE)  *val;
>
>   if ((extcount = X509_get_ext_count(cert)) > 0) {
>     for (i = 0; i < extcount; i++) {
>       ext = X509_get_ext(cert, i);
>       extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
>       if (strcasecmp(extstr, "crlDistributionPoints")) continue;
>
>       if (!(meth = X509V3_EXT_get(ext))) break;
>       data = ext->value->data;
>       val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
>       for (j = 0;  j < sk_CONF_VALUE_num(val);  j++) {
>         nval = sk_CONF_VALUE_value(val, j);
>         if (!strcasecmp(nval->name, "URI"))
>           return strdup(nval->value);
>       }
>     }
>   }
>   return 0;
>}
>
>
>
>Above function fails at
>val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
>
>Any suggestions ?
>
>Please help
>
>Thanks & Regards,
>Akash Deo


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953&id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750&id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484&id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827&id=1409661701

(You can see why we love this state :-) )








______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Trying to get URI of CRL from certificate extension

Yan, Bob
In reply to this post by Akash Deo-3
Hi Akash,
 
I have encountered the same issue as you mentioned in your email but I still haven't figured out the cause of the failure. However, after I replaced "d2i(0, &data, ext->value->length)" function with X509V3_EXT_d2i(ext), the problem was gone.
 
Regards
Bob
 
 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Akash Deo
Sent: Thursday, May 26, 2011 11:57 PM
To: [hidden email]
Subject: Trying to get URI of CRL from certificate extension

Hi,

I am trying to get URI of the CRL from certificate extension using below function:

static char *get_distribution_point(X509 *cert) {
  int                   extcount, i, j;
  const char            *extstr;
  CONF_VALUE            *nval;
  unsigned char         *data;
  X509_EXTENSION        *ext;
  X509V3_EXT_METHOD     *meth;
  STACK_OF(CONF_VALUE)  *val;
  
  if ((extcount = X509_get_ext_count(cert)) > 0) {
    for (i = 0; i < extcount; i++) {
      ext = X509_get_ext(cert, i);
      extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
      if (strcasecmp(extstr, "crlDistributionPoints")) continue;
  
      if (!(meth = X509V3_EXT_get(ext))) break;
      data = ext->value->data;
      val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
      for (j = 0;  j < sk_CONF_VALUE_num(val);  j++) {
        nval = sk_CONF_VALUE_value(val, j);
        if (!strcasecmp(nval->name, "URI"))
          return strdup(nval->value);
      }
    }
  }
  return 0;
}



Above function fails at
val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);

Any suggestions ?

Please help

Thanks & Regards,
Akash Deo
Reply | Threaded
Open this post in threaded view
|

Re: Trying to get URI of CRL from certificate extension

Dr. Stephen Henson
In reply to this post by Akash Deo-3
On Fri, May 27, 2011, Akash Deo wrote:

> Hi,
>
> I am trying to get URI of the CRL from certificate extension using below
> function:
>
> static char *get_distribution_point(X509 *cert) {
>   int                   extcount, i, j;
>   const char            *extstr;
>   CONF_VALUE            *nval;
>   unsigned char         *data;
>   X509_EXTENSION        *ext;
>   X509V3_EXT_METHOD     *meth;
>   STACK_OF(CONF_VALUE)  *val;
>
>   if ((extcount = X509_get_ext_count(cert)) > 0) {
>     for (i = 0; i < extcount; i++) {
>       ext = X509_get_ext(cert, i);
>       extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
>       if (strcasecmp(extstr, "crlDistributionPoints")) continue;
>
>       if (!(meth = X509V3_EXT_get(ext))) break;
>       data = ext->value->data;
>       val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
>       for (j = 0;  j < sk_CONF_VALUE_num(val);  j++) {
>         nval = sk_CONF_VALUE_value(val, j);
>         if (!strcasecmp(nval->name, "URI"))
>           return strdup(nval->value);
>       }
>     }
>   }
>   return 0;
> }
>
>
>
> Above function fails at
> val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0);
>
> Any suggestions ?
>

There are some code examples like that in a few places, these
took code from OpenSSL internals and when those internals changed they
stopped working.

The correct and portable way to get an extension from a certificate is by
using X509_get_ext_d2i(): you can replace most of the above with that. This
function is documented albeit in doc/openssl.txt

You get back a STACK_OF(DIST_POINT) for that extension which you can then
analyse to extract a URI. Note that there can be multiple URIs and additional
information in CRLDP.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]