Generic function to extract extensions by OIDs

Mbed TLS Feature Requests
1

Hello,

x509_crt.c contains x509_get_crt_ext, which extracts contents of few well known extensions and stores it in the mbedtls_x509_crt. It however ignores anything else. Given that ext_type is a bitmask, it will not scale well to any possible extension. Has there been a consideration to extend the public API and expose a function, which given a mbedtls_x509_crt and an OID, it can return the extension payload buffer?

Regards,
Jiri

2

Hi Jiri,
This was not considered, as it wasn’t part of the scope of Mbed TLS.
However, we may consider this, if you add your reasoning for this request, and what standard you wish to use.
Note, that mbedtls_x509_crt has a member v3_ext which holds a pointer to the location of the certificate v3 extensions. This is an internal member, and we can’t commit it won’t change.
You may try to use this buffer and implement your function to retrieve the specific extension, using your OID, with the internal function mbedtls_x509_get_ext(), similar to other functions in Mbed TLS using this function, assuming you are aware of what you are doing.
Regards,
Mbed TLS Team member
Ron

3

Thanks Ron. We are generating certificates with a custom v3 extension specific to our project. It would be nice if Mbed TLS directly had a functionality to pick up a specific OID. I have implemented the function using v3_ext and based it on x509_get_crt_ext. If you were interested, I would be happy to start a PR and discuss over the code the specifics. If not, I can keep it separate. But it felt to me this would be a useful functionality for more folks.

4

Hi @jiria
As an open source project, we always welcome contributions, as long as they have benefit to the product, in our opinion and as long as your company accept our CLA.
You are welcome to submit a PR to our repository, and the team will discuss with you.
Note that it might take some time, as there are many PRs in our backlog.
Regards,
Mbed TLS Team member
Ron

5

Hi Jiri,
We are searching for Mbed TLS functionality to pick up a specific OID, and found that topic you have posted in forum. If you have posted the relevant code in a forum, can please share to us it will helpful to our project for searching X509 v3 extension by OID.

Regards,
Hari Krishnam Raju Kanekal