views:

124

answers:

0

So I'm trying to add support for OS X's CDSA API to a tool that uses client-side certificates for identification and authentication.

I've figured out how to get the SecCertificateRef pointers to certificates that the current user has stored in the Keychain using SecIdentitySearchCreate()/SecIdentitySearchCopyNext()/SecIdentityCopyCertificate(), but I need to limit my results to the Digital Signature certificates. Specifying CSSM_KEYUSE_SIGN in my search didn't seem to narrow the search sufficiently.

Using Keychain.app, I can see that the desired certificates have a "Key Usage" extension with a value of "Digital Signature". So I'm trying to get at that extension information programmatically.

From reading through the source (x509defs.h), it seems like the extension data would be stored in a CSSM_X509_EXTENSIONS variable. How can I drill down to this data from a SecCertificateRef?

According to SecCertificateGetType(), the certificate is of type CSSM_CERT_X_509v1. I can get a pointer to the raw data using SecCertificateGetData(), but I'm unsure how to cast the returned pointer in order to get a CSSM_<WHATEVER> pointer.

Failing a direct answer, a pointer to another place to get help with this would be useful too.