So this leads to the next question:
How do I teach OpenSSL the format of the value for a custom extension without
writing code?
I have been poring over man pages and I don’t find anything obvious.
Robert
> On Aug 11, 2015, at 2:24 PM, Wim Lewis <w...@omnigroup.com> wrote:
>
> On Aug 11, 2015, at 9:24 AM, Robert Sandilands <rsand...@netscape.net> wrote:
>> I am trying to build a certificate request with a custom OID and it is
>> encoding strange characters in the certificate.
>>
>> For example I specify the following line in the .cnf file:
>> bla_policy = ASN1:PRINTABLESTRING:blabla
>> Then I get the following when I dump the csr:
>> 1.2.3.4.5.6.7:
>> ..blabla
>
> This is because openssl doesn't know the format of the value of your custom
> extension.
>
> Running the result of your script through asn1parse shows the extension
> section like this (snipped some entries for brevity):
>
> 417:d=3 hl=2 l= 93 cons: SEQUENCE
> 419:d=4 hl=2 l= 9 prim: OBJECT :Extension Request
> 430:d=4 hl=2 l= 80 cons: SET
> 432:d=5 hl=2 l= 78 cons: SEQUENCE
> 434:d=6 hl=2 l= 12 cons: SEQUENCE
> 436:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
> 441:d=7 hl=2 l= 1 prim: BOOLEAN :255
> 444:d=7 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
> 448:d=6 hl=2 l= 11 cons: SEQUENCE
> 450:d=7 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
> 455:d=7 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030203F8
> 492:d=6 hl=2 l= 18 cons: SEQUENCE
> 494:d=7 hl=2 l= 6 prim: OBJECT :1.2.3.4.5.6.7
> 502:d=7 hl=2 l= 8 prim: OCTET STRING [HEX
> DUMP]:1306626C61626C61
>
>
> Notice that the "value" of each constraint is an OCTET STRING, regardless of
> its type. (The BOOLEAN field in the basic constraints extension is the
> Critical flag.) As is usual with X.500 stuff, tracking down the actual
> definition of this field is a pain, but you can find it in the PKIX
> RFC3280/5280 (via PKCS#10/RFC2986 and PKCS#9/RFC2985):
>
> Extension ::= SEQUENCE {
> extnID OBJECT IDENTIFIER,
> critical BOOLEAN DEFAULT FALSE,
> extnValue OCTET STRING }
>
> If you ask asn1parse to dump just the contents of your extension, you'll see
> exactly the PRINTABLESTRING which you requested:
>
> % openssl asn1parse -i -offset 504 -length 8 -in test.csr
> 0:d=0 hl=2 l= 6 prim: PRINTABLESTRING :blabla
>
>
> The two bytes, 13 06, are the DER encoding of a 6-byte string (13 contains
> the tag and class, indicating in this case PRINTABLESTRING, and 06 is the
> length in bytes of the string which follows). Similarly, the basicConstraints
> value is an empty (0-length) SEQUENCE because all of its contents have the
> default values and are omitted; and the keyUsage value is a BIT STRING
> (tag=3, length=0x02, number of unused bits = 0x03, bits=0x1F once you remove
> the padding) with a bitmap of the selected constraints. extendedKeyUsage,
> which I snipped, is a SEQUENCE of OIDs.
>
> If this is a custom extension, you can define its contents to be whatever you
> like. The standardized extensions I know about are all DER-encoded values,
> but I don't think that's an actual requirement.
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
