Skip to content

Get full OCTET STRING of an extension #8941

New issue
New issue
Open
#8967
Open
Get full OCTET STRING of an extension#8941
#8967
Assignees
kareem-wolfssl
@ribes96

Description

@ribes96
ribes96
opened on Jun 30, 2025

Version

5.7.6-stable

Description

RFC5280 defines an X.509 extension as

   Extension  ::=  SEQUENCE  {
        extnID      OBJECT IDENTIFIER,
        critical    BOOLEAN DEFAULT FALSE,
        extnValue   OCTET STRING
                    -- contains the DER encoding of an ASN.1 value
                    -- corresponding to the extension type identified
                    -- by extnID
        }

OpenSSL's function X509_EXTENSION_get_data returns the full extnValue OCTET STRING.
But WolfSSL's function wolfSSL_X509_EXTENSION_get_data doesn't seem to get the full OCTET STRING, but some data specific for each extension.

For example, for AuthorityKeyIdentifier, which is defined as

   AuthorityKeyIdentifier ::= SEQUENCE {
      keyIdentifier             [0] KeyIdentifier           OPTIONAL,
      authorityCertIssuer       [1] GeneralNames            OPTIONAL,
      authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL  }

it directly gives the keyIdentifier array (in my case {0x3d, 0x1, 0xd3, 0x87,...) instead of the SEQUENCE, which should start with {0x30, 0x16, 0x80, 0x14, 0x3d, 0x1, 0xd3, 0x87,...

wolfSSL_X509_EXTENSION_get_data is aliased to X509_EXTENSION_get_data, so I guess the intention is for them to have the same behavior. If they are not, is there a way to get the full extnValue OCTET STRING?

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions