extensions-attributes-on the fly

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

extensions-attributes-on the fly

Saurabh Arora-2
hi

problem:
-------------
- I want to add custom attributes in the standard x509 extensions, without patching the source code.
- I want to add new extension along with standard x509 extension, without patching the source code.
say, adding an attribute :

attribute ::= SEQUENCE {
type    attributetype ,
values  SET OF AttributeValue }

AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY

to the standard extension say, SubjectDirectoryAttribute

--------------
now i have attempted following things :
since 0.9.8 , asn1 mini compiler works, hence punched sum lines in format of asn1_generate_nconf function
openssl.cnf:
--------------------
#(very begining)
openssl_conf=init_section

#(under certificate extensions )
[ certificate_extensions ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE

customExtension=ASN1:SEQUENCE:seq          ----> custom code


#(at the very end)
[seq]
flag = BOOLEAN:TRUE

[init_section]
oid_section = asn1_oids

[asn1_oids]
customExtension=1.22.33.4.55.66.777
---------------------

now at the time when ca signs the csr , the followin output is generated in extensions part:
 X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            customExtension:         ------------> custom extension
                0....
            X509v3 Key Usage:


but when after succesfully signin the csr, wen i run the command to see it again :
 - openssl x509 -in testcert.cert -text
i get the following output in the extensions part :

 X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            1.22.33.4.55.66.777:   --------> custom OID of customExtension
                0....
            X509v3 Key Usage:


why?? why Dr. henson ??
why the name is converted back to OID ?
is there a way to see the complete extension, which ideally should look like :
             customExtension:
                flag:FALSE

ok another method i tried , by usinf the DER value , by :
- creating a extfile and storin the extension attributes
- using asn1parse to convert into DER file
- using xxd and gettin the hex value
- finally addin the DER:hex value as per the asn1_generate_conf

but the output is exactly same.
----------------------------------------------------------------------------------------------------

regarding adding new/custom attribute to the standard x509 extension like SubjectDirectoryAttributes , is there ne way to compile them on the fly ?

SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute


now how can i add an attribute accordingly to asn1_generate_conf so it do not generate error.

if i happen to get a proper solution.. i wil myself write a detailed report on this, for the community.
thanx in advance.

tanish
Reply | Threaded
Open this post in threaded view
|

Re: extensions-attributes-on the fly

Dr. Stephen Henson
On Fri, Mar 24, 2006, Saurabh Arora wrote:

> hi
>
> problem:
> -------------
> - I want to add custom attributes in the standard x509 extensions, without
> patching the source code.
> - I want to add new extension along with standard x509 extension, without
> patching the source code.
> say, adding an attribute :
>
> attribute ::= SEQUENCE {
> type    attributetype ,
> values  SET OF AttributeValue }
>
> AttributeType ::= OBJECT IDENTIFIER
> AttributeValue ::= ANY
>
> to the standard extension say, SubjectDirectoryAttribute
>
> --------------
> now i have attempted following things :
> since 0.9.8 , asn1 mini compiler works, hence punched sum lines in format of
> asn1_generate_nconf function
> openssl.cnf:
> --------------------
> #(very begining)
> openssl_conf=init_section
>
> #(under certificate extensions )
> [ certificate_extensions ]
> # These extensions are added when 'ca' signs a request.
> # This goes against PKIX guidelines but some CAs do it and some software
> # requires this to avoid interpreting an end user certificate as a CA.
> basicConstraints=CA:FALSE
>
> customExtension=ASN1:SEQUENCE:seq          ----> custom code
>
>
> #(at the very end)
> [seq]
> flag = BOOLEAN:TRUE
>
> [init_section]
> oid_section = asn1_oids
>
> [asn1_oids]
> customExtension=1.22.33.4.55.66.777
> ---------------------
>
> now at the time when ca signs the csr , the followin output is generated in
> extensions part:
>  X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             customExtension:         ------------> custom extension
>                 0....
>             X509v3 Key Usage:
>
>
> but when after succesfully signin the csr, wen i run the command to see it
> again :
>  - openssl x509 -in testcert.cert -text
> i get the following output in the extensions part :
>
>  X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             1.22.33.4.55.66.777:   --------> custom OID of customExtension
>                 0....
>             X509v3 Key Usage:
>
>
> why?? why Dr. henson ??
> why the name is converted back to OID ?

The "name" isn't stored in the certificate. The OID is stored there. It is
OpenSSL that translates the OID into the name.

So what you should be asking is why the OID isn't displayed as the name. If
the "x509" utility isn't picking up the new OID definition from the config
file (perhaps the 'req' utility used a custom config file?) then that's one
possible reason...


> is there a way to see the complete extension, which ideally should look like
> :
>              customExtension:
>                 flag:FALSE
>

No. The reason for that is that the extension code for supported extensions
knows that a certain field is called "flag". For unknown arbitrary extensions
it has no idea what a fields name is or how to display it.

You can however produce a friendlier output using the -certopt ext_parse
option. That will run unknown extensions through OpenSSLs generic ASN1
printing routines.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: extensions-attributes-on the fly

Saurabh Arora-2


On 3/24/06, Dr. Stephen Henson <[hidden email]> wrote:
On Fri, Mar 24, 2006, Saurabh Arora wrote:

> hi
>
> problem:
> -------------
> - I want to add custom attributes in the standard x509 extensions, without
> patching the source code.
> - I want to add new extension along with standard x509 extension, without
> patching the source code.
> say, adding an attribute :
>
> attribute ::= SEQUENCE {
> type    attributetype ,
> values  SET OF AttributeValue }
>
> AttributeType ::= OBJECT IDENTIFIER
> AttributeValue ::= ANY
>
> to the standard extension say, SubjectDirectoryAttribute
>
> --------------
> now i have attempted following things :
> since 0.9.8 , asn1 mini compiler works, hence punched sum lines in format of
> asn1_generate_nconf function
> openssl.cnf:
> --------------------
> #(very begining)

> openssl_conf=init_section
>
> #(under certificate extensions )
> [ certificate_extensions ]
> # These extensions are added when 'ca' signs a request.
> # This goes against PKIX guidelines but some CAs do it and some software
> # requires this to avoid interpreting an end user certificate as a CA.
> basicConstraints=CA:FALSE
>
> customExtension=ASN1:SEQUENCE:seq          ----> custom code
>
>
> #(at the very end)
> [seq]
> flag = BOOLEAN:TRUE
>
> [init_section]
> oid_section = asn1_oids
>
> [asn1_oids]
> customExtension=1.22.33.4.55.66.777
> ---------------------
>
> now at the time when ca signs the csr , the followin output is generated in
> extensions part:
>  X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             customExtension:         ------------> custom extension
>                 0....
>             X509v3 Key Usage:
>
>
> but when after succesfully signin the csr, wen i run the command to see it
> again :
>  - openssl x509 -in testcert.cert -text
> i get the following output in the extensions part :
>
>  X509v3 extensions:
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             1.22.33.4.55.66.777:   --------> custom OID of customExtension
>                 0....
>             X509v3 Key Usage:
>
>
> why?? why Dr. henson ??
> why the name is converted back to OID ?

The "name" isn't stored in the certificate. The OID is stored there. It is
OpenSSL that translates the OID into the name.

So what you should be asking is why the OID isn't displayed as the name. If
the "x509" utility isn't picking up the new OID definition from the config
file (perhaps the 'req' utility used a custom config file?) then that's one
possible reason...


> is there a way to see the complete extension, which ideally should look like
> :
>              customExtension:
>                 flag:FALSE
>

No. The reason for that is that the extension code for supported extensions
knows that a certain field is called "flag". For unknown arbitrary extensions
it has no idea what a fields name is or how to display it.

You can however produce a friendlier output using the -certopt ext_parse
option. That will run unknown extensions through OpenSSLs generic ASN1
printing routines.

yes -certopt worked, but not like i wanted. which means(correct me if i am wrong) i will have to get into
patching source code for extension code to get the desired output for my application.
now please tell me, where can i find the extension source code , where i can find the values like basicConstraints etc.


also please throw sum light on :

regarding adding new/custom attribute to the standard x509 extension like SubjectDirectoryAttributes , is there ne way to compile them on the fly ?

SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute


now how can i add an attribute accordingly to asn1_generate_conf so it do not generate error.


thanks



Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]