On Mon, 10 Mar 2014 08:59:55 -0700, Donald J. <dona...@4email.net> wrote:
>Could someone who is using z/OS PKI Services for z/OS post a sample >certificate containing an arbitrary extension for HostIdMapping, or an Would some VBscript help? Did this a loong time ago and I'm not sure it's totally clean, but I did use it. ' ' hostIdMappings - Build hostIdMappings certificate extension for the entities passed as arguments ' ' usage: cscript hostIdMappings.vbs //NOLOGO userA@hostname1 [ userB@hostname2 [...] ] >tempfile.txt ' if %ERRORLEVEL% LSS 1 certutil.exe -setextension <request-id> 1.3.18.0.2.18.1 @tempfile.txt ' ' The extension we are building is described by: ' ' id-ce-hostIdMappings OBJECT IDENTIFIER::= {1 3 18 0 2 18 1} ' ' HostIdMappings::= SET OF HostIdMapping ' ' HostIdMapping::= SEQUENCE{ ' hostName IMPLICIT[1] IA5String, ' subjectId IMPLICIT[2] IA5String, ' proofOfIdPossession IdProof OPTIONAL ' } ' IdProof::= SEQUENCE{ ' secret OCTET STRING, ' encryptionAlgorithm OBJECT IDENTIFIER ' } ' ' Note: the proofOfIdPossession is not implemented here. ' ' References: z/OS Security Server RACF Callable Services (IBM Doc SA22-7691) ' Advanced Certificate Enrollment and Management (Microsoft TechNet) ' Set oArgs = WScript.Arguments if (oArgs.count < 1) then usage() end if if (oArgs(0) = "-?") or (oArgs(0) = "-h") then usage() end if for i = 0 to oArgs.count - 1 if Instr(oArgs(i), "@") = 0 then usage() end if if Len(oArgs(i)) > 100 then usage() end if next ' build extension as a SET of SEQUECEs of subjectID/hostName pairs hostIdMappings = "" for i = 0 to oArgs.count - 1 at = InstrRev(oArgs(i), "@") subjectId = Left(oArgs(i), at-1) hostName = Right(oArgs(i), Len(oArgs(i)) - at) ' WScript.echo "hostName: " & hostName & chr(13) & _ ' "subjectId: " & subjectId ' IMPLICIT(1) + LENGTH + DATA asn1HostName = Chr(129) & Chr(Len(hostName)) & hostName ' IMPLICIT(2) + LENGTH + DATA asn1SubjectId = Chr(130) & Chr(Len(subjectId)) & subjectId hostIdMapping = asn1HostName & asn1SubjectId ' SEQUENCE + LENGTH + DATA asn1HostIdMapping = Chr(48) & Chr(Len(hostIdMapping)) & hostIdMapping hostIdMappings = hostIdMappings & asn1HostIdMapping next ' SET + LENGTH + DATA ' note: total length limited to 32K here if Len(hostIdMappings) > 127 then asn1HostIdMappings = Chr(49) & Chr(130) & Chr(Len(hostIdMappings) / 256) & Chr(Len(hostIdMappings) Mod 256) & hostIdMappings else asn1HostIdMappings = Chr(49) & Chr(Len(hostIdMappings)) & hostIdMappings end if ' convert to hex for certutil hexHostIdMappings = "" for i = 1 to Len(asn1HostIdMappings) hexHostIdMappings = hexHostIdMappings & Right("0" & Hex(Asc(Mid(asn1HostIdMappings, i, 1))), 2) & " " next WScript.echo hexHostIdMappings ' - - - - - ' Function usage WScript.Echo "Usage: cscript hostIdMappings.vbs hostIdMap1 [hostIdMap2 [...]]" WScript.Echo " hostIdMaps are in the format userid@hostname and limited to 100 characters" WScript.Quit 1 end Function ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN