000018949 - Unable to read in Extended Key Usage extensions in certificates using RSA BSAFE Cert-C

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018949
Applies ToRSA BSAFE Cert-C 1.0
IssueUnable to read in Extended Key Usage extensions in certificates using RSA BSAFE Cert-C
When creating an Extended Key Usage extension in a certificate the resulting DER encoded value is 7 bytes long. Reading certificates created using other packages shows that these extensions are 8 bytes in length.  This means that applications built with the RSA BSAFE Cert-C API are unable to read these extensions for certificates created by other vendors.
CauseIn RSA BSAFE Cert-C 1.0 the Extended Key Usage lengths are defined in the certext.h header file as:

/* extended Key purpose OID lengths */
#define KP_SERVERAUTH_LEN              7
#define KP_CLIENTAUTH_LEN              7
#define KP_CODESIGNING_LEN            7
#define KP_EMAILPROTECTION_LEN         7
#define KP_IPSECENDSYSTEM_LEN          7
#define KP_IPSECTUNNEL_LEN             7
#define KP_IPSECUSER_LEN               7
#define KP_TIMESTAMPING_LEN            7
#define KP_OCSPSIGNING_LEN             7
The RSA BSAFE Cert-C 1.x code has the wrong OIDs hard-coded in the KP_* and KP_*_LEN identifiers.
ResolutionIn RSA BSAFE Cert-C 2.0 the default OID lengths for an Extended Key Usage attribute have been increased and are defined in the certext.h header as :
/* extended Key purpose OID lengths */
#define KP_SERVERAUTH_LEN              8
#define KP_CLIENTAUTH_LEN              8
#define KP_CODESIGNING_LEN            8
#define KP_EMAILPROTECTION_LEN         8
#define KP_IPSECENDSYSTEM_LEN         8
#define KP_IPSECTUNNEL_LEN            8
#define KP_IPSECUSER_LEN               8
#define KP_TIMESTAMPING_LEN            8
#define KP_OCSPSIGNING_LEN            8

This is consistent with the object identifiers defined in section 4.2.1.13 of RFC 2459.

The best solution is to upgrade to the latest version of Cert-C.  Besides the incorrect OIDs, if a certificate had an extended key usage extension with multiple values, only the last one in the sequence would be reported.  The Cert-C API is designed to be backward-compatible with older versions, so to upgrade, recompile your application using the new object library and headers.
Legacy Article IDa4387

Attachments

    Outcomes