Decoding an ASN.1 DER OCTET STRING with OpenSSL

Roger Dahl picture Roger Dahl · Sep 7, 2011 · Viewed 14.4k times · Source

Using the OpenSSL API, I have extracted a custom extension from a X.509v3 certificate with:

X509_EXTENSION* ex = X509_get_ext(x509, 4);

The X509_EXTENSION object contains a value (ex->value) that is an ASN.1 OCTET STRING. The OCTET STRING contains a DER encoded UTF-8 string. I'm trying to decode the OCTET STRING to get the plain UTF-8 string.

I have tried a few things, such as:

ASN1_STRING_to_UTF8(&buf, ex->value);

and

M_ASN1_OCTET_STRING_print(bio, ex->value);
int len = BIO_read(bio, buf, buf_size);
buf[len] = '\0';

These both give me the DER encoded string. How do I get the plain UTF-8 string?

Answer

Roger Dahl picture Roger Dahl · Sep 8, 2011

@Francois pointed me to the ASN1_get_object() function. That function is appropriate for this scenario where the certificate extension contains only a single value.

ASN1_get_object() takes a pointer to a pointer to a C buffer that contains a DER encoded object. It returns the data itself (by adjusting the pointer), the length of the data, the ASN.1 tag value and the ASN.1 object class.

ASN1_OCTET_STRING* octet_str = X509_EXTENSION_get_data(extension);
const unsigned char* octet_str_data = octet_str->data;
long xlen;
int tag, xclass;
int ret = ASN1_get_object(&octet_str_data, &xlen, &tag, &xclass, octet_str->length);
printf("value: %s\n", octet_str_data);