Gaurav Aggarwal wrote, On 2009-05-13 20:07 PDT:
> I was trying to find a custom extension using its object identifier (in
> decimal) : "1, 3, 6, 1, 5, 5, 7, 1, 100".
>
> It seems to me that only CERT_FindCertExtension() function is public.
If you would like to see CERT_FindCertExtensionByOID be public, please
file a request for that as a bug in bugzilla.
> But it takes an integer tag that gets mapped to the actual object
> identifier. Does it mean that i would need to add my extension
> (dynamically or in source code) to the existing map of oids?
To use CERT_FindCertExtension, yes, you would.
If CERT_FindCertExtensionByOID was public, you could use it without
registering your own OID.
> I tried to add my object identifier dynamically:
>
> static SECOidTag addClientCertOID()
> {
> const unsigned char client_cert[] = { 1, 3, 6, 1, 5, 5, 7, 1, 100 };
That's not the proper encoding of that OID. The first two elements of an
OID are always encoded together as a single value with the formula 40a+b.
e.g. { 43, 6, 1, 5, 5, 7, 1, 100 }; See SEC_StringToOID() or
CERT_GetOidString().
SECOidData clientCertOID = {
{ siDEROID, client_cert, sizeof client_cert },
SEC_OID_UNKNOWN, "Client Certificate Usage",
CKM_INVALID_MECHANISM, SUPPORTED_CERT_EXTENSION };
Try the above variant. Note the added braces, and the fact that we
tell the code that this OID is a *supported* cert extension OID, rather
than an *invalid* cert extension OID.
> SECOID_Init();
That only needs to be called once, and it is called during NSS initialization,
so if your code is running after NSS has been initialized, you needn't call
that, and shouldn't.
> return SECOID_AddEntry(&clientCertOID);
> }
> static SECOidTag OID_CLIENT_CERT = addClientCertOID();
>
> The object identifier gets added but the following call fails to find this
> extension in the certificate:
>
> CERT_FindCertExtension(node->cert, OID_CLIENT_CERT, encitem)
>
> After debugging, i found that SECItem objects that contain oid from the
> certificate and oid corresponding to the OID_CLIENT_CERT tag donot match.
Yup. The problem was almost certainly your encoding of the OID.
But the other issues I described above may also have been factors.
> Could anyone please advise me on what format to use when adding an extension
> using an object identifier or any better way of checking an extension in a
> certificate?
You're very close. With the above info, I think you'll get there.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
