On Thu, Nov 11, 2004, Charles Cranston wrote: > First of all let me apologize for the red herring of > suggesting using command line options. I keep re- > running into the "man req" section on "-subj" while > forgetting that without the private key this is not > useful for changing the subject name in a CSR. > > If you haven't already stumbled onto this you might > want to take a look at the file "openssl.txt" in > the directory "doc" in the OpenSSL source distribution. > Let me quote a section that is not too far from the top: > > The syntax of raw extensions is governed by the extension code: it can > for example contain data in multiple sections. The correct syntax to > use is defined by the extension code itself: check out the certificate > policies extension for an example. > > In addition it is also possible to use the word DER > to include arbitrary data in any extension. > > 1.2.3.4=critical,DER:01:02:03:04 > 1.2.3.4=DER:01020304 > > The value following DER is a hex dump of the DER > encoding of the extension. Any extension can be placed > in this form to override the default behaviour. > For example: > > basicConstraints=critical,DER:00:01:02:03 > > WARNING: DER should be used with caution. It is possible > to create totally invalid extensions unless care is taken. > > WARNING: I HAVE NEVER TRIED THIS SO I CANNOT SWEAR THAT IT WILL > SUCCEED! But the clear implication is that if you have registered > the extension object ID you can cause arbitrary bytes to be placed > in the extension. In the above 1.2.3.4 would be the object ID of > the extension, while 00,01,02 etc are the data. > > Clearly this is somewhat more painful even than Assembly > Language, but it's what I had to do on my homemade computer > that had 512 bytes of memory. An alternative would be to > write code to take a saner format for the data you want to > put into the extensions, but at least this is an approach > that does not require change to the source code. > > If you do decide to write code to process your extension, > the documentation at the bottom of that file should be useful. > It is titled "X509V3 Extension code: programmers guide". > > If there is some showstopper here that I haven't seen, > please post so I haven't sent ray down yet another blind > alley... >
Well technically the stuff you put with DER shouldn't be arbitrary data. It should be a well formatted DER structure. Some applications (not based on OpenSSL) will reject an extensions (and possibly the whole certificate) if the contents are not well formed. You can use OpenSSL 0.9.8 to do the encoding for you with its mini-ASN1 compiler. Then when its produced the right encoding it can be place into the DER option for earlier versions. You can also hand code it. Again this isn't as horrible as it sounds. To take a simple case the ASN1 OCTET STRING of length up to 127 bytes is formed like this: 0x04, len, (content). So the bytes 1, 2, 3, 4 would be: 1.2.3.4=DER:04:04:01:02:03:04 That will put this into a certificate extension. Whether this is of any use depends on what the OP wants to do with the data when its there... Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
