Mbed forum

Generic function to extract extensions by OIDs

(Jiri Appl) #1


x509_crt.c contains x509_get_crt_ext, which extracts contents of few well known extensions and stores it in the mbedtls_x509_crt. It however ignores anything else. Given that ext_type is a bitmask, it will not scale well to any possible extension. Has there been a consideration to extend the public API and expose a function, which given a mbedtls_x509_crt and an OID, it can return the extension payload buffer?


(Ron Eldor) #2

Hi Jiri,
This was not considered, as it wasn’t part of the scope of Mbed TLS.
However, we may consider this, if you add your reasoning for this request, and what standard you wish to use.
Note, that mbedtls_x509_crt has a member v3_ext which holds a pointer to the location of the certificate v3 extensions. This is an internal member, and we can’t commit it won’t change.
You may try to use this buffer and implement your function to retrieve the specific extension, using your OID, with the internal function mbedtls_x509_get_ext(), similar to other functions in Mbed TLS using this function, assuming you are aware of what you are doing.
Mbed TLS Team member

(Jiri Appl) #3

Thanks Ron. We are generating certificates with a custom v3 extension specific to our project. It would be nice if Mbed TLS directly had a functionality to pick up a specific OID. I have implemented the function using v3_ext and based it on x509_get_crt_ext. If you were interested, I would be happy to start a PR and discuss over the code the specifics. If not, I can keep it separate. But it felt to me this would be a useful functionality for more folks.

(Ron Eldor) #4

Hi @jiria
As an open source project, we always welcome contributions, as long as they have benefit to the product, in our opinion and as long as your company accept our CLA.
You are welcome to submit a PR to our repository, and the team will discuss with you.
Note that it might take some time, as there are many PRs in our backlog.
Mbed TLS Team member