## Application accessing 'ex_kusage' ##

Matt Caswell matt at openssl.org
Mon Nov 16 10:16:24 UTC 2020

On 13/11/2020 19:10, Narayana, Sunil Kumar wrote:
> Hi ,
>                 We are porting our Application from  openssl 1.0.1 to
> openssl 3.0. in related to this activity we require to access the
> variable ‘*ex_kusage*’ pointed by *X509*
> But there are no set utilities available to access this variable. Only
>  X509_get_key_usage Is available.
> Our code for 1.0.1 is as below. Please suggest the right way to achieve
> this.

I'd like to ask why you feel you need to do this at all. It seems to me
like you are replicating libcrypto internal code in your own
application. This is code in libcrypto:

    /* Handle (basic) key usage */
    if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL)) != NULL) {
        x->ex_kusage = 0;
        if (usage->length > 0) {
            x->ex_kusage = usage->data[0];
            if (usage->length > 1)
                x->ex_kusage |= usage->data[1] << 8;
        x->ex_flags |= EXFLAG_KUSAGE;
        /* Check for empty key usage according to RFC 5280 section */
        if (x->ex_kusage == 0) {
            ERR_raise(ERR_LIB_X509, X509V3_R_EMPTY_KEY_USAGE);
            x->ex_flags |= EXFLAG_INVALID;
    } else if (i != -1) {
        x->ex_flags |= EXFLAG_INVALID;

So it seems very similar to what you are trying to do, and I guess some
earlier version of this code was the original source of what is in your
application now.

The purpose of this code is to decode the key usage extension and cache
it in the internal `ex_flags` value. This code gets called in numerous
code paths whenever we need to query extension data - including if you
were to call X509_get_key_usage().

Your application seems to want to manage for itself when libcrypto does
this caching. It should not need to do so - it's entirely internal. My
guess is that, perhaps, in some older version of OpenSSL the caching
didn't happen when it was supposed to and you implemented this
workaround?? Or possibly the workaround is still needed due to a bug in
OpenSSL that still doesn't do the caching when needed? If so I'd like to
understand the circumstances behind that.


More information about the openssl-users mailing list