Hi,
I am using the examples from the O'Reilly book "Network Security with
OpenSSL" (X.509 section) to create a CSR, push a custom extension into
it and sign that CSR with a given private key. This - in general - works
OK, but when I want to use the resulting certificate chain (I have the
signing certificate and a couple more in there) for anything secure
(i.e. mutual authentication), I am greeted with failure.
I wrote an extremely simple program to check what might be wrong with
the certificate stack and this seems to be the problem:
15939:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field
missing:tasn_dec.c:391:Field=d, Type=RSA
15939:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1
lib:pem_info.c:224:
I figure that there is something wrong with the way I create the ASN.1
object and push it onto the extension stack for the CSR. This looks like
so in my code:
ASN1_OBJECT *obj;
ASN1_OCTET_STRING *ex_oct = NULL;
X509_EXTENSION *ex_execpol = NULL;
new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
obj = OBJ_nid2obj(new_nid);
if (!(ex_oct = ASN1_OCTET_STRING_new())) {
int_error("Error creating custom ASN.1 struct");
}
extlist = sk_X509_EXTENSION_new_null();
ASN1_OCTET_STRING_set(ex_oct,policy,-1);
if (!(ex_execpol = X509_EXTENSION_create_by_OBJ(&ex_execpol, obj, 0,
ex_oct))) { //3rd parameter is critical/noncritical
int_error("Error creating X509 extension for execpolicy");
}
if (!(sk_X509_EXTENSION_push (extlist, ex_execpol))) {
int_error("Error pushing custom extension to stack");
}
if (!(X509_REQ_add_extensions (req, extlist))) {
int_error ("Error adding ExecPolicy to the request");
}
sk_X509_EXTENSION_pop_free (extlist, X509_EXTENSION_free);
}
Later, I am getting the extension stack from the CSR...
if (!(req_exts = X509_REQ_get_extensions (req)))
int_error ("Error getting the request's extensions");
int new_nid;
ASN1_OBJECT *obj;
new_nid = OBJ_create(EXECPOLICY_OID, EXECPOLICY_SN, EXECPOLICY_LN);
execPolicy_pos = X509v3_get_ext_by_NID (req_exts,
new_nid, -1);
execPolicy = X509v3_get_ext (req_exts, execPolicy_pos);
fputc ('\n', stdout);
...and add them to the certificate before signing:
/* add x509v3 extensions as specified */
X509V3_set_ctx (&ctx, CAcert, cert, NULL, NULL, 0);
for (i = 0; i < EXT_COUNT; i++)
{
X509_EXTENSION *ext;
if (!(ext = X509V3_EXT_conf (NULL, &ctx,
ext_ent[i].key, ext_ent[i].value)))
{
fprintf (stderr, "Error on \"%s = %s\"\n",
ext_ent[i].key, ext_ent[i].value);
int_error ("Error creating X509 extension object");
}
// Mark purpose as critical
if (!(X509_EXTENSION_set_critical (ext, 1))) {
fprintf(stderr, "Error setting Extension to critical:
%s", ext_ent[i].key);
int_error("Error setting Extension to critical");
}
if (!X509_add_ext (cert, ext, -1))
{
fprintf (stderr, "Error on \"%s = %s\"\n",
ext_ent[i].key, ext_ent[i].value);
int_error ("Error adding X509 extension to certificate");
}
X509_EXTENSION_free (ext);
}
/* add the extension in the request to the cert */
if (!X509_add_ext (cert, execPolicy, -1))
int_error ("etc");
Is there anything I am doing horribly wrong along the way? Any pointers
where the missing field could be? I guess it can only be in the custom
ASN.1 structure I have created for my own extension.
Regards and thanks,
--ck
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
