Dear list,
another trial. ;)
We need to validate the existence and value of an X.509 extension in a client
certificate from within Apache/mod_ssl. The extension "Admission" is described
by ISIS-MTT and has OID 1.3.36.8.3.3:
AdmissionSyntax ::= SEQUENCE {
admissionAuthority GeneralName OPTIONAL,
contentsOfAdmissions SEQUENCE OF Admissions }
Admissions ::= SEQUENCE {
admissionAuthority [0] EXPLICIT GeneralName OPTIONAL,
namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL,
professionInfos SEQUENCE OF ProfessionInfo }
NamingAuthority ::= SEQUENCE {
namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
namingAuthorityUrl IA5String OPTIONAL,
namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL}
ProfessionInfo ::= SEQUENCE {
namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL,
professionItems SEQUENCE OF DirectoryString (SIZE(1..128)),
professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
addProfessionInfo OCTET STRING OPTIONAL }
This does not exactly match what I found here:
http://vijairaj.blogspot.com/2009/01/parsing-and-using-custom-extension-in.html,
but is taken from the exact specifications we need to comply to.
This extension is not known to our OpenSSL version (0.9.8d) and I don't think
later versions do know it?!
Furthermore, the suggested code at the abovementioned article does not really
fit into mod_ssl and I am hesitating to customize OpenSSL itself as well now.
It should be possible to read and parse the extension by using ASN1 functions
without defining the whole extension for OpenSSL, as it can be displayed with
it's OID and raw data by "openssl asn1parse -in <cert>", I think? What I am
looking for is a feasible approach to doing so from within mod_ssl.
Any help appreciated!
In other news: what I achieved already is validating the certificate's signing
algorithm and keylength, it's ExtendedKeyUsage data, the signing algorithm and
the producedAt date of the OCSP response from within mod_ssl - if anybody is
interested... I also 'fixed' the receipt of the actual OCSP response, which
failed, if their was an empty line read at the beginning of the response, maybe
due to a lag in traffic... (not valid code style according to Apache/httpd, I
guess :( ).
Mit freundlichen Grüßen / Kind regards
Natanael Mignon
IT - beraten | planen | umsetzen | betreiben
__________________________________________________________________________
michael-wessel.de Informationstechnologie GmbH
Krausenstraße 50
30171 Hannover
Germany
fon (+49) 511 260 911-0 (DW -13)
fax (+49) 511 318 039-9
eMail n...@michael-wessel.de
web www.michael-wessel.de
Geschäftsführer: Michael Wessel Dipl. Phys.
Amtsgericht Hannover
HR B 59031
Alle Produktnamen und Firmennamen sind ggfs. eingetragene Warenzeichen und/oder
Markennamen der jeweiligen Hersteller.
Angebote freibleibend, Irrtümer und Druckfehler vorbehalten.
Lieferung vorbehaltlich ausreichender Selbstbelieferung.
© 2009 michael-wessel.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
