Hi Steve: Thanks for your reply. Just so that the mailing list has this answer the next time some poor sod has to implement this, I'd just like to confirm that this is now the right formulation in openssl.cnf:
[my_cert_extensions] basicConstraints = CA:FALSE keyUsage = critical, keyEncipherment, dataEncipherment SMIME-CAPS = ASN1:SEQUENCE:smime_seq subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ smime_seq ] SMIMECapability.0 = SEQWRAP,OID:sha1 SMIMECapability.1 = SEQWRAP,OID:sha256 SMIMECapability.2 = SEQWRAP,OID:sha1WithRSA SMIMECapability.3 = SEQWRAP,OID:aes-256-ecb SMIMECapability.4 = SEQWRAP,OID:aes-256-cbc SMIMECapability.5 = SEQWRAP,OID:aes-256-ofb SMIMECapability.6 = SEQWRAP,OID:aes-128-ecb SMIMECapability.7 = SEQWRAP,OID:aes-128-cbc SMIMECapability.8 = SEQWRAP,OID:aes-128-ecb SMIMECapability.9 = SEQUENCE:rsa_enc [ rsa_enc ] capabilityID = OID:rsaEncryption parameter = NULL Have I got the magic formula right now? (This LOOKS like it generates the right ASN.1 - but I just want to be sure...:) Thanks. Patrick. Dr. Stephen Henson wrote: > On Tue, Aug 25, 2009, Patrick Patterson wrote: > >> Hello all: >> >> I find myself needing to create some test certificates with SMIME >> Capabilities >> encoded in them. Now, the ASN.1 prototype for these are: >> >> SMIMECapabilities ::= SEQUENCE OF SMIMECapability >> >> SMIMECapability ::= SEQUENCE { >> capabilityID OBJECT IDENTIFIER, >> parameters ANY DEFINED BY capabilityID OPTIONAL } >> >> To me, this means that, in an extensions section of openssl.cnf, I should be >> able to do something like: >> >> [my_cert_extensions] >> basicConstraints = CA:FALSE >> keyUsage = critical, keyEncipherment, dataEncipherment >> SMIME-CAPS = ASN1:SEQUENCE:smime_seq >> subjectKeyIdentifier = hash >> authorityKeyIdentifier = keyid,issuer >> >> [ smime_seq ] >> capabilityID.0 = OID:sha1 >> capabilityID.1 = OID:sha256 >> capabilityID.2 = OID:sha1WithRSA >> capabilityID.3 = OID:aes-256-ecb >> capabilityID.4 = OID:aes-256-cbc >> capabilityID.5 = OID:aes-256-ofb >> capabilityID.6 = OID:aes-128-ecb >> capabilityID.7 = OID:aes-128-cbc >> capabilityID.8 = OID:aes-128-ecb >> >> >> And it should work - my problem is that it is devilishly hard to verify and >> see whether this is, in fact, correct. Not to mention there is a complete >> lack >> of any examples of functional certificates out there that I can find. That, >> and there is a notable lack of client programs that will spit out the >> contents >> of this extension in any sort of form that is useful. >> >> Can one of the OpenSSL gurus please let me know if I'm on the right path? >> > > Close but you missed the fact that each component is itself a SEQUENCE. > > Most of the time the parameters will be absent so you can use the SEQWRAP > modifier in those cases. > > S/MIME Capabilities is used in S/MIME messaages so you could use the cms > printing options to examine it and compare with your result. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org