Re: Subject Alternative Name Extension for A CRMF **SOLUTION HERE***

Tue, 01 Feb 2005 12:12:05 -0800

Herb McCutchan wrote:
I know how to add key usage and cert usage extensions to a Cert Request (CRMF) but how do you add a Subject Alternative Name Extension for an email address in java? Particulary the third parmeter in the Extension Class Constructor.

OK...Many thanks to Bob for pinging the CMS team. A man named Thomas Kwan from redhat emailed me about an hour and a half ago with the information that was needed. Herb changed the 1 line he needed to (the CHOICE) in our code and voila, we have SubjectAltName on our certs now.
Incidentally, is there a location where there is some decent documentation (other than RFC2459) on all this? We're not afraid to RTFM.

Many thanks to all those involved!

Dave

For future use of the general population, here is the information sent to me that shows the correct way to add this extension:

The ASN.1 syntax for this is:


  SubjectAltName ::= GeneralNames
  GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
  GeneralName ::= CHOICE {
      otherName                       [0]     OtherName,
      rfc822Name                      [1]     IA5String,
      dNSName                         [2]     IA5String,
      x400Address                     [3]     ORAddress,
      directoryName                   [4]     Name,
      ediPartyName                    [5]     EDIPartyName,
      uniformResourceIdentifier       [6]     IA5String,
      iPAddress                       [7]     OCTET STRING,
      registeredID                    [8]     OBJECT IDENTIFIER}


To build a subject alt name extension with JSS, you may
want to do the following:


  OBJECT_IDENTIFIER subAltNameOid =
       new OBJECT_IDENTIFIER(new long[] {2, 5, 29, 17});
  IA5String emailAddress = new IA5String("[EMAIL PROTECTED]");
  CHOICE name = new CHOICE(new Tag(1), emailAddress);
  SEQUENCE names = new SEQUENCE();
  names.addElement(name);
  ByteArrayOutputStream oStream = new ByteArrayOutputStream();
  names.encode(oStream);
  OCTET_STRING os = new OCTET_STRING(oStream.toByteArray());
  Extension exEmail = new Extension(subAltNameOid, false, os);



Pretty-Print Output:



   0 30   27: SEQUENCE {
   2 06    3:   OBJECT IDENTIFIER subjectAltName (2 5 29 17)
   7 04   20:   OCTET STRING, encapsulates {
   9 30   18:       SEQUENCE {
  11 81   16:         [1] '[EMAIL PROTECTED]'
            :         }
            :       }
            :   }
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to