RE: Adding a custom extension to a CSR

[Dave Thompson]

> From: owner-openssl-users On Behalf Of Danyk
> Sent: Monday, November 25, 2013 07:26

> Im trying to add a custom Extension to a CSR using openssl API's:
> 
I assume you know 'req' can be configured to create custom extensions 
(if a bit clumsily) but you have reasons for coding it yourself instead.

> struct stack_st_X509_EXTENSION *exts = NULL;
> X509_EXTENSION *ex;
> exts = sk_X509_EXTENSION_new_null();
> ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
> nid = OBJ_create("1.3.6.1.4.1.12345", "End Entry Type", "My End Entry
> Type");
> ASN1_OCTET_STRING_set(os,(unsigned
char*)"critical,5",strlen("critical,5"));

Bad value, see below.

> ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os );
> sk_X509_EXTENSION_push(exts, ex);
> X509_REQ_add_extensions(x, exts);
> 
> When I parse the CSR I see that the extension displayed is actually the
OID
> , and not the extension name:
> 
> X509v3 extensions:
>             1.3.6.1.4.1.12345:
>                 critical,5
> 
> Am I adding the extension in the correct way?
> Should I  change some setting in the openssl.cnf?
> How can insert the extension name :"End Entry Type" instaed of the OID
> "1.3.6.1.4.1.12345"?
> 
You can't put the name in the actual CSR (or cert or CRL) extension.
The extension uses the OID, that's how extensions work.
You need the program that parses and display to map OID to name
the same way your creator program did. If you are using commandline 
'req' that, like all commandlines now but not before 1.0.0 IIRC, uses 
the 'modules' part of the config file which includes oid_section.
Thus putting your OID(s) in the section named by oid_section (which in 
the distro version is [new_oids]) should work. For any other program,
it may depend on the program.  Having put your OID(s) in a config file,
you could then use that config file in your program and not need to 
explicitly OBJ_create.

You don't want the string "critical,5" as the value. When you use a 
"value" like critical,whatever in a config file, openssl actually sets 
the critical flag and parses whatever for the value. It is the flag 
cert users should use, if your CSR extension ends up in a cert.
Also, the value in an extension is an OCTET STRING containing 
the DER of the value, not the value itself. The openssl config routines 
do this for you, but if you're coding it yourself you need to do it
yourself. 



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org