Hello All, I did not get any
suggestions so I looked at the issue more.
It turned out that I had OBJ_cleanup() called
before I needed to use the custom extensions. The long and the short is, do OBJ_create(), in needed, in the client and/or server initialisation
code and OBJ_cleanup() in the client and/or server rundown code. The custom extension will be available
to whatever routines use them between the two calls J Regards -- -----Original
Message----- Hello All, The client piece, in the client/server
application I am developing, issues a programmatic certificate signing
request. The reason for issue and a
list of PC Ids for which the certificate is to be issued are provided outside
the request itself. The server,
acting here as a CA, constructs the certificate based on information in the
certificate request and information from other sources. It needs to include in the final
certificate, amongst others, the reason the certificate is being issued and the
list of client identifiers for which it is issued. The server uses the following code
fragment, based on the selfsign example: /* try a custom extension */ /**/ { int
nid; nid
= OBJ_create("1.2.3.4", "IssueReason", "Reason for
Issue"); X509V3_EXT_add_alias(nid,
NID_netscape_comment); ex
= X509V3_EXT_conf_nid(NULL, NULL, nid, cReason); X509_add_ext(x,ex,-1); X509_EXTENSION_free(ex); nid
= OBJ_create("1.2.3.5", "IssuedTo", "Issued to"); X509V3_EXT_add_alias(nid,
NID_netscape_comment); ex
= X509V3_EXT_conf_nid(NULL, NULL, nid, cpPCIDsBuf); X509_add_ext(x,ex,-1); X509_EXTENSION_free(ex); } This happily produces the goods. After this code executes the server
will, when asked with PEM_write_bio_X509, display a human-readable version of
the certificate like: -------
d8:a1:c1:7f:3c:bd:15:fc:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment,
Key Agreement
X509v3 Subject Key Identifier:
74:85:02:1A:2F:13:D7:52:AC:0A:0A:17:6C:FC:F2:C9:CC:EB:3C:61
Netscape Cert Type:
SSL Client, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
Reason for Issue:
Reason for Issue: The second reason for issue: We are asking for a new
certificate at this junction
Issued to:
Issued for PC IDs: FRB16155Z50, FRB16155Z50, FRB16155Z50 Signature Algorithm:
md5WithRSAEncryption
72:c3:4b:53:45:cd:1c: +++++++ Note the ‘Reason for Issue’ and
‘Issued to’ custom extensions.
The extensions are included in the certificate the client gets. The client, when asked with
PEM_write_bio_X509, to display a human-readable certificate shows:
e1:44:7c:b9:a2:0f:bf:cc:48:
d8:a1:c1:7f:3c:bd:15:fc:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment,
Key Agreement
X509v3 Subject Key Identifier:
74:85:02:1A:2F:13:D7:52:AC:0A:0A:17:6C:FC:F2:C9:CC:EB:3C:61
Netscape Cert Type:
SSL Client, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
1.2.3.4:
.cReason for Issue: The second reason for issue: We are asking for a new
certificate at this junction
1.2.3.5:
.8Issued for PC IDs: FRB16155Z50, FRB16155Z50, FRB16155Z50 Signature Algorithm:
md5WithRSAEncryption
72:c3:4b:53:45:cd:1c: +++++++ The question I have is what do I need to
tell the client so that it can recognise and properly display the custom
extensions. I tried the following in the client
initialization: { int
nid; nid
= OBJ_create("1.2.3.4", "IssueReason", "Reason for
Issue"); X509V3_EXT_add_alias(nid,
NID_netscape_comment); nid
= OBJ_create("1.2.3.5", "IssuedTo", "Issued to"); X509V3_EXT_add_alias(nid,
NID_netscape_comment); } but that did not help. I tried the same code just before
SSL_connect but that too did not help. Any pointers will be greatly appreciated. TIA Regards -- Michael Czapski Senior Consultant SeeBeyond Pty. Ltd. Ph. +61 2 9263-2700 |
- Custom v3 extensions Michael Czapski
- Michael Czapski