Openssl 如何从X509证书获取Keyusage值?
我想从X509结构化证书中检索密钥使用值,我尝试了以下代码Openssl 如何从X509证书获取Keyusage值?,openssl,certificate,ssl-certificate,x509certificate,x509,Openssl,Certificate,Ssl Certificate,X509certificate,X509,我想从X509结构化证书中检索密钥使用值,我尝试了以下代码 X509* lcert=NULL; lCert=PEM_read(filename); // function will return the certificate in X509 unsigned long lKeyusage= lCert->ex_kusage; 当我打印lKeyusage值时。。有时我得到128。。。有时,对于相同的证书,我得到0。。 谁能告诉我是什么错误吗。? 如果我做错了,请给我一些示例代码或正确
X509* lcert=NULL;
lCert=PEM_read(filename); // function will return the certificate in X509
unsigned long lKeyusage= lCert->ex_kusage;
当我打印lKeyusage值时。。有时我得到128。。。有时,对于相同的证书,我得到0。。
谁能告诉我是什么错误吗。?
如果我做错了,请给我一些示例代码或正确的API。我认为最简单的方法是使用内存BIO:
...
X509 *lcert = NULL;
BUF_MEM *bptr = NULL;
char *buf = NULL;
int loc;
FILE *f = fopen("your cert goes here", "rb");
if( (lcert = PEM_read_X509(f, &lcert, NULL, NULL)) == NULL){
// error handling...
}
loc = X509_get_ext_by_NID( lcert, NID_key_usage, -1);
X509_EXTENSION *ex = X509_get_ext(lcert, loc);
BIO *bio = BIO_new(BIO_s_mem());
if(!X509V3_EXT_print(bio, ex, 0, 0)){
// error handling...
}
BIO_flush(bio);
BIO_get_mem_ptr(bio, &bptr);
// now bptr contains the strings of the key_usage, take
// care that bptr->data is NOT NULL terminated, so
// to print it well, let's do something..
buf = (char *)malloc( (bptr->length + 1)*sizeof(char) );
memcpy(buf, bptr->data, bptr->length);
buf[bptr->length] = '\0';
// Now you can printf it or parse it, the way you want...
printf ("%s\n", buf);
...
在我的例子中,对于teste证书,它打印了“数字签名、不可否认性、密钥加密”
还有其他方法,比如使用ASN1_位_字符串*。我可以告诉你,如果以上不符合你的需要
尊敬。我使用下面的代码获取密钥使用值。 方法1
//iCertificate is in X509 format
ASN1_BIT_STRING* lASN1UsageStr;
lASN1UsageStr=(ASN1_BIT_STRING *)X509_get_ext_d2i(iCertificate,NID_key_usage,NULL,NULL);
if(lASN1UsageStr == NULL)
{
cout<<" get ext_d2i function returns errors";
}
else if(lASN1UsageStr->length > 0)
{
lKeyUsage = lASN1UsageStr->data[0];
if(lASN1UsageStr->length > 1)
{
lKeyUsage |= lASN1UsageStr->data[1] << 8;
}// else{}
} else
{
lKeyUsage = -1; //invalid keyusage
}
从OpenSSL v1.0.2d第2365行的
ssl\ssl_lib.c
:
/* This call populates extension flags (ex_flags) */
X509_check_purpose(x, -1, 0);
所以OpenSSL开发人员使用这种方式
如果深入挖掘,您可能会发现调用了
x509v3\u cache\u extensions
,它填充由锁保护的标志。此代码将仅以可读格式打印密钥用法。我在这个线程中回答了一个可能的解决方案:在方法2中,您必须检查exflags
的值,如果它有EXFLAG\u集
,这意味着exkusage
和exkusage
已设置,您不需要调用X509\u check\u ca
,您可以检查v3\u purple.c
,了解更多详细信息
/* This call populates extension flags (ex_flags) */
X509_check_purpose(x, -1, 0);