problem with X509_get_ext_d2i() and AUTHORITY_KEYID

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

problem with X509_get_ext_d2i() and AUTHORITY_KEYID

soukyan
Hi,

I need to use authority key identifier extension.
When I am using X509V3_EXT_print() akid is printed correctly.
But I have to get the AUTHORITY_KEYID structure.
I do it this way:

class cCert
{
  X509 * x509cert;
  bool getAuthorityKeyID(int &, AUTHORITY_KEYID *);
  // other members of cCert
};

bool cCert::getAuthorityKeyID(int & crit, AUTHORITY_KEYID * akid)
{
  akid = NULL;
  akid = reinterpret_cast<AUTHORITY_KEYID*>
    (X509_get_ext_d2i(x509cert, NID_authority_key_identifier, &crit,
NULL));
  if (akid)
    return true;
  return false;
}

If this function returns true, I assume that akid points to a valid
AUTHORITY_KEYID.
So i try to use it:

AUTHORITY_KEYID * auth_keyid;
int crit;
if (cert.getAuthorityKeyID(crit, auth_keyid))
{
  if (auth_keyid != NULL)
  {
    printf("auth_keyid is not NULL\n"); // test information
    if (auth_keyid->keyid)
    {
      printf("keyid is present\n");
      // do something in this case
    }
    else
    {
      printf("keyid is not present");
      // do something in this case
    }
  }
  else
    printf("auth_keyid is NULL\n");
}

When I run my application I get:
auth_keyid is not NULL
Segmentation fault

Why auth_keyid->keyid causes segmentation fault?
X509V3_EXT_print() is called from another member function of cCert
and extracts this extension and prints keyid correctly.
So why X509_get_ext_d2i() doesn't work?
How can I do this without errors?

Thanks,
Daniel

(Feel free to correct my English)





______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with X509_get_ext_d2i() and AUTHORITY_KEYID

Tyler Durden-3
Hello,
You have to instantiate the pointer variable name akid.

For more inforrmation of how use the i2d_*(), d2i_*() functions,
please consult the FAQ,
with the question
3. How do I read or write a DER encoded buffer using the ASN1 functions?


[hidden email] wrote:

>Hi,
>
>I need to use authority key identifier extension.
>When I am using X509V3_EXT_print() akid is printed correctly.
>But I have to get the AUTHORITY_KEYID structure.
>I do it this way:
>
>class cCert
>{
>  X509 * x509cert;
>  bool getAuthorityKeyID(int &, AUTHORITY_KEYID *);
>  // other members of cCert
>};
>
>bool cCert::getAuthorityKeyID(int & crit, AUTHORITY_KEYID * akid)
>{
>  akid = NULL;
>  akid = reinterpret_cast<AUTHORITY_KEYID*>
>    (X509_get_ext_d2i(x509cert, NID_authority_key_identifier, &crit,
>NULL));
>  if (akid)
>    return true;
>  return false;
>}
>
>If this function returns true, I assume that akid points to a valid
>AUTHORITY_KEYID.
>So i try to use it:
>
>AUTHORITY_KEYID * auth_keyid;
>int crit;
>if (cert.getAuthorityKeyID(crit, auth_keyid))
>{
>  if (auth_keyid != NULL)
>  {
>    printf("auth_keyid is not NULL\n"); // test information
>    if (auth_keyid->keyid)
>    {
>      printf("keyid is present\n");
>      // do something in this case
>    }
>    else
>    {
>      printf("keyid is not present");
>      // do something in this case
>    }
>  }
>  else
>    printf("auth_keyid is NULL\n");
>}
>
>When I run my application I get:
>auth_keyid is not NULL
>Segmentation fault
>
>Why auth_keyid->keyid causes segmentation fault?
>X509V3_EXT_print() is called from another member function of cCert
>and extracts this extension and prints keyid correctly.
>So why X509_get_ext_d2i() doesn't work?
>How can I do this without errors?
>
>Thanks,
>Daniel
>
>(Feel free to correct my English)
>
>
>
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]
>

--
     /**************************/
    /** Ivan Fraixedes Cugat **/
   /** Computer science ******/
  /** DMAG (UPF) ************/
 /** (SPAIN-BARCELONA)******/
/**************************/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with X509_get_ext_d2i() and AUTHORITY_KEYID

soukyan
In reply to this post by soukyan
> Hello,
> You have to instantiate the pointer variable name akid.
>
> For more inforrmation of how use the i2d_*(), d2i_*() functions,
> please consult the FAQ,
> with the question
> 3. How do I read or write a DER encoded buffer using the ASN1
> functions?

How to do it?
d2i_*() require (char**)data and (int)length
but I have only
AUTHORITY_KEYID * akid;
and
X509 * x509cert;

X509V3_EXT_print() works fine, so OpenSSL can extract this extension

I managed with AUTHORITY_KEYID in another way and now it works fine
for me.

Now I have problems with CERTIFICATEPOLICIES.
I have to extract all policies in a certificate.
I do it in similar way:
certPols = (CERTIFICATEPOLICIES*)X509_get_ext_d2i(x509cert,
NID_certificate_policies, &crit, NULL);
and still have the same problem.
It means segmentation fault.
And the function sk_POLICYINFO_num(certPols) returns -1.
When I try something like this
char *temp = (char*)certPols;
char ch = temp[0];
char ch2 = temp[1];
segmentation fault occures again.

How correctly extract all policies?

I'm using Beta 4 of OpenSSL 0.9.8 compiled by myself
because I need to use some extensions which are new in 0.9.8
(policyMappings, nameConstraints and inhibitAnyPolicy)
I compiled it this way:
./config
make
make install

Should I do something more?


Thanks,
Daniel

(Feel free to correct my English)




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: problem with X509_get_ext_d2i() and AUTHORITY_KEYID

soukyan
In reply to this post by soukyan
Hi

I have solved my problem.
The mistake was in this line:
> bool cCert::getAuthorityKeyID(int & crit, AUTHORITY_KEYID * akid)
it should be:
bool cCert::getAuthorityKeyID(int & crit, AUTHORITY_KEYID * & akid)
and it works fine now.

I have one another question.
I have three structures:

X509 * x509subject, * x509issuer;
X509_CRL * x509crl;

x509subject and x509crl are issued and signed by x509issuer.
All pointers are allocated with d2i*()

How to check if x509subject certificate is revoked by x509issuer CA and
is placed in x509crl?
The revocation reason is also required to know.

Thanks,
Daniel

(feel free to correct my English)


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]