query on key usage OIDs

Viktor Dukhovni openssl-users at dukhovni.org
Sat Jul 17 15:19:22 UTC 2021

On Fri, Jul 16, 2021 at 01:11:04PM +0200, Jakob Bohm via openssl-users wrote:

> Question was how to retrieve those lists for any given certificate,
> using currently supported OpenSSL APIs.
> The lists of usage bits and extusage OIDs in any given certificate
> are finite, even if the list of values that could be in other
> certificates is infinite.

The bits can be retrieved via: X509_get_key_usage(3).


The "standard" EKU extensions can be retrieved via: X509_get_extended_key_usage(3)

    X509_get_extended_key_usage() returns the value of the extended key
    usage extension. If extended key usage is present it will return
    zero or more of the flags: XKU_SSL_SERVER, XKU_SSL_CLIENT,
    XKU_ANYEKU. These correspond to the OIDs id-kp-serverAuth,
    id-kp-clientAuth, id-kp-emailProtection, id-kp-codeSigning,
    id-kp-OCSPSigning, id-kp-timeStamping, id-kp-dvcs and
    anyExtendedKeyUsage respectively.

To retrieve the full list of extended key usage OIDs: X509_get_ext_d2i(3)

    X509 *x;
    EXTENDED_KEY_USAGE *extusage;
    int i;


    if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, &i, NULL)) != NULL) {
        for (i = 0; i < sk_ASN1_OBJECT_num(extusage); ++i) {
            ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(extusage, i);
            /* Do something with "obj" */
    sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);


More information about the openssl-users mailing list