Custom certificate extensions & CSR / cert creation: Missing field

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Custom certificate extensions & CSR / cert creation: Missing field

Christopher Kunz-3
Hi,

I am using the examples from the O'Reilly book "Network Security with
OpenSSL" (X.509 section) to create a CSR, push a custom extension into
it and sign that CSR with a given private key. This - in general - works
OK, but when I want to use the resulting certificate chain (I have the
signing certificate and a couple more in there) for anything secure
(i.e. mutual authentication), I am greeted with failure.
I wrote an extremely simple program to check what might be wrong with
the certificate stack and this seems to be the problem:

15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
missing:tasn_dec.c:391:Field=d, Type=RSA
15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1
lib:pem_info.c:224:

I figure that there is something wrong with the way I create the ASN.1
object and push it onto the extension stack for the CSR. This looks like
so in my code:

   ASN1_OBJECT *obj;
   ASN1_OCTET_STRING *ex_oct = NULL;
   X509_EXTENSION *ex_execpol =  NULL;
   new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
   obj = OBJ_nid2obj(new_nid);
   if (!(ex_oct = ASN1_OCTET_STRING_new())) {
     int_error("Error creating custom ASN.1 struct");
   }
   extlist = sk_X509_EXTENSION_new_null();

   ASN1_OCTET_STRING_set(ex_oct,policy,-1);
   if (!(ex_execpol = X509_EXTENSION_create_by_OBJ(&ex_execpol, obj, 0,
ex_oct))) { //3rd parameter is critical/noncritical
     int_error("Error creating X509 extension for execpolicy");
   }
   if (!(sk_X509_EXTENSION_push (extlist, ex_execpol))) {
     int_error("Error pushing custom extension to stack");
  }
   if (!(X509_REQ_add_extensions (req, extlist))) {
     int_error ("Error adding ExecPolicy to the request");
   }
   sk_X509_EXTENSION_pop_free (extlist, X509_EXTENSION_free);
}

Later, I am getting the extension stack from the CSR...

  if (!(req_exts = X509_REQ_get_extensions (req)))
    int_error ("Error getting the request's extensions");
  int new_nid;
  ASN1_OBJECT *obj;
  new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
  execPolicy_pos = X509v3_get_ext_by_NID (req_exts,
                                           new_nid, -1);
  execPolicy = X509v3_get_ext (req_exts, execPolicy_pos);
  fputc ('\n', stdout);

...and add them to the certificate before signing:

/* add x509v3 extensions as specified */
  X509V3_set_ctx (&ctx, CAcert, cert, NULL, NULL, 0);
  for (i = 0; i < EXT_COUNT; i++)
    {
      X509_EXTENSION *ext;
      if (!(ext = X509V3_EXT_conf (NULL, &ctx,
                                   ext_ent[i].key, ext_ent[i].value)))
        {
          fprintf (stderr, "Error on \"%s = %s\"\n",
                   ext_ent[i].key, ext_ent[i].value);
          int_error ("Error creating X509 extension object");
        }
        // Mark purpose as critical
        if (!(X509_EXTENSION_set_critical (ext, 1))) {
                fprintf(stderr, "Error setting Extension to critical:
%s", ext_ent[i].key);
                int_error("Error setting Extension to critical");
        }
          if (!X509_add_ext (cert, ext, -1))
        {
          fprintf (stderr, "Error on \"%s = %s\"\n",
                   ext_ent[i].key, ext_ent[i].value);
          int_error ("Error adding X509 extension to certificate");
        }
      X509_EXTENSION_free (ext);
    }

/* add the extension in the request to the cert */
  if (!X509_add_ext (cert, execPolicy, -1))
    int_error ("etc");


Is there anything I am doing horribly wrong along the way? Any pointers
where the missing field could be? I guess it can only be in the custom
ASN.1 structure I have created for my own extension.

Regards and thanks,

--ck
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Custom certificate extensions & CSR / cert creation: Missing field

Dr. Stephen Henson
On Wed, May 09, 2007, Christopher Kunz wrote:
> I wrote an extremely simple program to check what might be wrong with
> the certificate stack and this seems to be the problem:
>
> 15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
> missing:tasn_dec.c:391:Field=d, Type=RSA
> 15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1
> lib:pem_info.c:224:
>

Hmmm that error shouldn't be encountered when you load a certificate. It
suggests that you have an RSA private key but that it is in an invalid format.

If you want to create custom extensions there is a much easier way now: the
mini-ASN1 compiler as mentioned in the docs.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Custom certificate extensions & CSR / cert creation: Missing field

Christopher Kunz-3
Dr. Stephen Henson schrieb:
> Hmmm that error shouldn't be encountered when you load a certificate. It
> suggests that you have an RSA private key but that it is in an invalid format.
>  
I forgot to mention that openssl x509 -text -noout -in mycertchain.pem
does produce valid output, and seems to disregard the error that
prevents the certificate from actually being usable. To me that means
that it somehow has to be syntactically correct. I can provide you with
demo credentials if that is of any help - they are set to run out after
12 hours anyway. :)

Thanks for your help,

--ck
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Custom certificate extensions & CSR / cert creation: Missing field

Dr. Stephen Henson
On Wed, May 09, 2007, Christopher Kunz wrote:

> Dr. Stephen Henson schrieb:
> > Hmmm that error shouldn't be encountered when you load a certificate. It
> > suggests that you have an RSA private key but that it is in an invalid format.
> >  
> I forgot to mention that openssl x509 -text -noout -in mycertchain.pem
> does produce valid output, and seems to disregard the error that
> prevents the certificate from actually being usable. To me that means
> that it somehow has to be syntactically correct. I can provide you with
> demo credentials if that is of any help - they are set to run out after
> 12 hours anyway. :)
>
> Thanks for your help,
>

What I meant was that error looks like there is a private key in the file
which is causing the function PEM_read_bio_X509_INFO() to fail when it
attempts to read it rather than a certificate reading error or possibly that
error is from a previous function call.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Custom certificate extensions & CSR / cert creation: Missing field

Christopher Kunz-3
Hello,

I have isolated the problem to the private key that seems to be
incorrectly generated. When I take my self-created certificate and my
self-created RSA key and try to convert them to PKCS#12, the following
error occurs:

[kunz@ui1 kunz]$ openssl pkcs12 -export -in testcert.pem -inkey
testkey.pem -out test.p12
Error loading private key
22864:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:140:
22864:error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object
header:a_int.c:204:
22864:error:0D09D082:asn1 encoding
routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:117:
22864:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:89:
22864:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:291:

The portion of my C code that generates the key and adds it to the
certificate request looks like this (readers of the O'Reilly OpenSSL
book will find this strangely familiar):

  keypair = RSA_generate_key(1024, RSA_3, NULL, NULL);
  if (!(RSA_check_key(keypair)))
        int_error("Error with keypair!");
  pkey = EVP_PKEY_new();
  if (!(EVP_PKEY_set1_RSA(pkey, keypair)))
        int_error("Error setting key to RSA");
  if (!(req = X509_REQ_new ()))
    int_error("Error creating new request");
  X509_REQ_set_pubkey (req, pkey);

After all is said and done, the private key is written to the PEM file:

  if (!(PEM_write_PrivateKey(fp, pkey, NULL,NULL,0,0,NULL)))
    int_error ("Error writing private key");

We're not encrypting the key because the resulting proxy certificate
chain is used for single-sign-on purposes in a Grid environment. We do
need the key because we need to be able to delegate new proxy
certificates based on the one that has just been generated.

However, since the private key and certificate are basically throwaway
items that are regenerated for each job submission, I feel no pain
showing both to you. Impersonate me if you want, but do it quickly ;)
-----BEGIN CERTIFICATE-----
MIICGzCCAcWgAwIBAgIBATANBgkqhkiG9w0BAQUFADBWMRMwEQYDVQQKEwpHZXJt
YW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5ub3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3Bo
ZXIgS3VuejEOMAwGA1UEAxMFcHJveHkwHhcNMDcwNTEwMDg0MzQ5WhcNMDcwNTEw
MjA0MzQ5WjBmMRMwEQYDVQQKEwpHZXJtYW5HcmlkMRQwEgYDVQQLEwtVbmlIYW5u
b3ZlcjEZMBcGA1UEAxMQQ2hyaXN0b3BoZXIgS3VuejEOMAwGA1UEAxMFcHJveHkx
DjAMBgNVBAMTBXByb3h5MIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKBgQCR6a8b
EHwnIxfOS3SXw30rrnYf07iwqC1oEkwZyyfHvfEZnIR9EH60hJ6FJghYvm6YNrp6
+qQotYBg9lQln+L7PySYL+f6KeEfCkymD1owqHbqKLvoDEhvRoiWioiU0YX2+zGh
5MpN8DWhKbs4xeJnydHKvvMbZcXKBwwVcXiHqQIBA6MsMCowDgYDVR0PAQH/BAQD
AgSwMBgGDCsGAQQBgY1dZAMCAQQIZm9vCmZvbwowDQYJKoZIhvcNAQEFBQADQQAm
DzWVnPzJ8lwLL2ti5nZ4PzOYp+EZnROMemOaDJ/iX1X7YZ/kR8WaGr2NA+vzZhPL
tp9fv6d7FQjjGOYHJ0b/
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q
frSEnoUmCFi+bpg2unr6pCi1gGD2VCWf4vs/JJgv5/op4R8KTKYPWjCoduoou+gM
SG9GiJaKiJTRhfb7MaHkyk3wNaEpuzjF4mfJ0cq+8xtlxcoHDBVxeIepAgED
-----END RSA PRIVATE KEY-----

The key is somehow wrong, but how? And why?

Regards,

--ck
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Custom certificate extensions & CSR / cert creation: Missing field

Goetz Babin-Ebell
Hello Christopher,

--On Mai 10, 2007 11:29:25 +0200 Christopher Kunz
<[hidden email]> wrote:

> I have isolated the problem to the private key that seems to be
> incorrectly generated.

[...]

> -----BEGIN RSA PRIVATE KEY-----
> MIGKAgEAAoGBAJHprxsQfCcjF85LdJfDfSuudh/TuLCoLWgSTBnLJ8e98RmchH0Q
> frSEnoUmCFi+bpg2unr6pCi1gGD2VCWf4vs/JJgv5/op4R8KTKYPWjCoduoou+gM
> SG9GiJaKiJTRhfb7MaHkyk3wNaEpuzjF4mfJ0cq+8xtlxcoHDBVxeIepAgED
> -----END RSA PRIVATE KEY-----

The private key is suspiciously short:
openssl asn1parse -in key.pem     0:d=0  hl=3 l= 138 cons: SEQUENCE
    3:d=1  hl=2 l=   1 prim: INTEGER           :00
    6:d=1  hl=3 l= 129 prim: INTEGER
:91E9AF1B107C272317CE4B7497C37D2BAE761FD3B8B0A82D68124C19CB27C7BDF1199C847D107EB4849E85260858BE6E9836BA7AFAA428B58060F654259FE2FB3F24982FE7FA29E11F0A4CA60F5A30A876EA28BBE80C486F4688968A8894D185F6FB31A1E4CA4DF035A129BB38C5E267C9D1CABEF31B65C5CA070C15717887A9
  138:d=1  hl=2 l=   1 prim: INTEGER           :03

> The key is somehow wrong, but how? And why?
It contains only the public part of the key.

The private part seems to get lost in between...


Bye

Goetz

--
DMCA: The greed of the few outweights the freedom of the many

attachment0 (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Custom certificate extensions & CSR / cert creation: Missing field

Christopher Kunz-3
Goetz Babin-Ebell schrieb:
>
>> The key is somehow wrong, but how? And why?
> It contains only the public part of the key.
>
> The private part seems to get lost in between...

You are so right. In the course of my copy&paste work of art, I
reassigned pkey with... guess what? The certificate's public key. D'oh.

Thanks a lot for pointing me in the correct direction.

Regards,

--ck
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]