Hi Steve:
Thanks for your reply. Just so that the mailing list has this answer the
next time some poor sod has to implement this, I'd just like to confirm
that this is now the right formulation in openssl.cnf:
[my_cert_extensions]
basicConstraints = CA:FALSE
keyUsage = critical, keyEncipherment, dataEncipherment
SMIME-CAPS = ASN1:SEQUENCE:smime_seq
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ smime_seq ]
SMIMECapability.0 = SEQWRAP,OID:sha1
SMIMECapability.1 = SEQWRAP,OID:sha256
SMIMECapability.2 = SEQWRAP,OID:sha1WithRSA
SMIMECapability.3 = SEQWRAP,OID:aes-256-ecb
SMIMECapability.4 = SEQWRAP,OID:aes-256-cbc
SMIMECapability.5 = SEQWRAP,OID:aes-256-ofb
SMIMECapability.6 = SEQWRAP,OID:aes-128-ecb
SMIMECapability.7 = SEQWRAP,OID:aes-128-cbc
SMIMECapability.8 = SEQWRAP,OID:aes-128-ecb
SMIMECapability.9 = SEQUENCE:rsa_enc
[ rsa_enc ]
capabilityID = OID:rsaEncryption
parameter = NULL
Have I got the magic formula right now?
(This LOOKS like it generates the right ASN.1 - but I just want to be
sure...:)
Thanks.
Patrick.
Dr. Stephen Henson wrote:
> On Tue, Aug 25, 2009, Patrick Patterson wrote:
>
>> Hello all:
>>
>> I find myself needing to create some test certificates with SMIME
>> Capabilities
>> encoded in them. Now, the ASN.1 prototype for these are:
>>
>> SMIMECapabilities ::= SEQUENCE OF SMIMECapability
>>
>> SMIMECapability ::= SEQUENCE {
>> capabilityID OBJECT IDENTIFIER,
>> parameters ANY DEFINED BY capabilityID OPTIONAL }
>>
>> To me, this means that, in an extensions section of openssl.cnf, I should be
>> able to do something like:
>>
>> [my_cert_extensions]
>> basicConstraints = CA:FALSE
>> keyUsage = critical, keyEncipherment, dataEncipherment
>> SMIME-CAPS = ASN1:SEQUENCE:smime_seq
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid,issuer
>>
>> [ smime_seq ]
>> capabilityID.0 = OID:sha1
>> capabilityID.1 = OID:sha256
>> capabilityID.2 = OID:sha1WithRSA
>> capabilityID.3 = OID:aes-256-ecb
>> capabilityID.4 = OID:aes-256-cbc
>> capabilityID.5 = OID:aes-256-ofb
>> capabilityID.6 = OID:aes-128-ecb
>> capabilityID.7 = OID:aes-128-cbc
>> capabilityID.8 = OID:aes-128-ecb
>>
>>
>> And it should work - my problem is that it is devilishly hard to verify and
>> see whether this is, in fact, correct. Not to mention there is a complete
>> lack
>> of any examples of functional certificates out there that I can find. That,
>> and there is a notable lack of client programs that will spit out the
>> contents
>> of this extension in any sort of form that is useful.
>>
>> Can one of the OpenSSL gurus please let me know if I'm on the right path?
>>
>
> Close but you missed the fact that each component is itself a SEQUENCE.
>
> Most of the time the parameters will be absent so you can use the SEQWRAP
> modifier in those cases.
>
> S/MIME Capabilities is used in S/MIME messaages so you could use the cms
> printing options to examine it and compare with your result.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
