How extract all OIDs from certificate with OpenSSL

5
votes

I have a problem and no idea how I can solve it. I have a X.509v3 certificate with a custom OID (object identifier) in the ExtendedKeyUsage extension. How can I extract all OIDs from the ExtendedKeyUsage using OpenSSL 1.1.0?

For example, I created a certificate with 3 flags in the ExtendedKeyUsage extension:

"clientAuth, 1.3.6.1.5.5.7.3.103, timeStamping"

clientAuth and timeStamping are known for OpenSSL. The flag in the middle is my custom OID. I added all flags with the OpenSSL function X509V3_EXT_conf_nid(). ok... as far as works all.

Now I tried to extract the OIDs with X509_get_extended_key_usage(cert), but i only get clientAuth and timeStamping.

Now I extracted the raw data from ExtendedKeyUsage as ASN1_OCTET_STRING like this:

int size;
unsigned char *data;
ASN1_OCTET_STRING *os;
X509_EXTENSION *ext;

// extracting data from certificate extension
ext = X509_get_ext(cert, 2);
os = X509_EXTENSION_get_data(ext);

size = ASN1_STRING_length(os);
data = ASN1_STRING_data(os);

This is the content of data in hex: 30:1E:06:08:2B:06:01:05:05:07:03:02:06:08:2B:06:01:05:05:07:03:67:06:08:2B:06:01:05:05:07:03:08.

If I decode this hex string with an external tool, then I get this:

Offset|Length|LenByte|
======+======+===================================================
     0|    30|      1|   SEQUENCE : 
     2|     8|      1|      OBJECT_IDENTIFIER : '1.3.6.1.5.5.7.3.2'    (id-kp-clientAuth)
    12|     8|      1|      OBJECT_IDENTIFIER : '1.3.6.1.5.5.7.3.103'
    22|     8|      1|      OBJECT_IDENTIFIER : '1.3.6.1.5.5.7.3.8'    (id-kp-timeStamping)

My OID is available, but how I extract this OID in OpenSSL? Can I parse it ....and how? :(

Thanks you in advance.

1
c++opensslcertificatex509asn.1
Did you try to use openssl asn1parse -i -in cert.der -inform der?oliv

1 Answers

9
votes

I find a solution!

here is my quick-and-diry code:

// optional: we can set an OID name
OBJ_create("1.3.6.1.5.5.7.3.103", "myObjectShortName", "myObjectLongName");

// find the extendedKeyUsage
int extIndex = X509_get_ext_by_NID(cert, NID_ext_key_usage, -1);
if (extIndex < 0)
    std::cerr << "extendedKeyUsage is not present";

// get the correct X.509 extension
X509_EXTENSION *ext = X509_get_ext(cert, extIndex);
if (!ext)
    std::cerr << "'ext' is a nullptr";

// get the extendedKeyUsage
EXTENDED_KEY_USAGE *eku = static_cast<EXTENDED_KEY_USAGE*>(X509V3_EXT_d2i(ext));
if (!eku)
    std::cerr << "'eku' is a nullptr";

// print all OIDs
for (int i = 0; i < sk_ASN1_OBJECT_num(eku); i++)
{
    char buffer[100];
    OBJ_obj2txt(buffer, sizeof(buffer), sk_ASN1_OBJECT_value(eku, i), 1); // get OID

    std::cout << "eku flag " << i << ": " << buffer << "\t - ";
    std::cout << OBJ_nid2ln(OBJ_obj2nid(sk_ASN1_OBJECT_value(eku, i))) << std::endl; // get OID name
}

// free used resource
if (eku)
    EXTENDED_KEY_USAGE_free(eku);

Output:

eku flag 0: 1.3.6.1.5.5.7.3.2    - TLS Web Client Authentication
eku flag 1: 1.3.6.1.5.5.7.3.103  - myObjectLongName
eku flag 2: 1.3.6.1.5.5.7.3.8    - Time Stamping

maybe this code help someone else