Hi,
Tried this but no luck, its not reading the serial from the CSR.
-----Original Message-----
From: Oliver Welter <m...@oliwel.de>
Sent: Wednesday, February 21, 2024 1:26 PM
To: openxpki-users@lists.sourceforge.net
Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom
extensions
Hi Henri,
my fault - serialNumber is not in the "registered RDN" list for the template
parser shortcuts, it should work with
preset: '[% serialNumer.0 %]'
best regards
Oliver
On 20.02.24 15:33, henri.sunde...@iki.fi wrote:
> I tried that, but it does not work.
> Using the template with preset as set below, it fills serialNumber
> field with value "serialNumber". Certificate profile is same as I
> presented before. This sounds like a bug - maybe it tries to take key
> instead its value?
>
>
> serial.yaml:
> id: serialNumber
> label: serialNumber
> description: Serial Number
> preset: serialNumber
> type: text
> width: 40
> placeholder: 0000
>
>
>
>
> -----Original Message-----
> From: Oliver Welter <m...@oliwel.de>
> Sent: Monday, February 19, 2024 10:21 AM
> To: openxpki-users@lists.sourceforge.net
> Subject: Re: [OpenXPKI-users] Profile with serialNumber and custom
> extensions
>
> Hello Henri,
>
> you have to use "serialNumber" as preset also, SN is the "Surname" OID
> :)
>
> For the second part - you can turn on the "copy extension" flag but as
> outlined in the comment this copies ANYTHING from the request so this
> requires a certain portion of control on CSR generation and a very
> good validation as you otherwise might sign things you do not expect too.
>
> The other option requires a modification of the workflow and the use
> of OpenXPKI::Server::Workflow::Activity::Tools::AddCertExtension,
> likely with some magic around to build the right content - or an
> upgrade to the enterprise edition which comes with a templating
> mechanism and some other nice features around profile based extensions.
>
> best regards
>
> Oliver
>
> On 15.02.24 20:14, henri.sunde...@iki.fi wrote:
>> I'm trying to make a new certificate profile, with this kind of
>> requirements:
>> - Subject shall have serialNumber field, which is copied from CSR
>> - Extensions shall have a custom OID field with custom bit stream
>> data, which is copied from CSR
>>
>> I haven't been able to get any of that working. I added to templates
>> serial.yaml:
>> --
>> id: serialNumber
>> label: serialNumber
>> description: Serial Number
>> preset: SN.0
>> type: text
>> width: 40
>> placeholder: 0000
>> --
>> And I made new profile like this:
>> --
>> # The name of the file equals the name of the profile
>> label: License
>>
>> # digest to use
>> digest: sha256
>>
>> style:
>> 00_basic_style:
>> label: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_LABEL
>> description: I18N_OPENXPKI_UI_PROFILE_BASIC_STYLE_DESC
>> # Define which input fields you want on the UI
>> # Just put their names here and define them at the end
>> # in the "template" section.
>> # You can also use the template names found in the
>> # template.yaml file, if you duplicate a name, the
>> # local definition gets precedence.
>> ui:
>> subject:
>> - hostname
>> - serial
>> - o
>> - c
>> info:
>> - requestor_realname
>> - requestor_email
>> - owner_contact
>> - comment
>>
>> # Subject is evaluated by template toolkit with the input
>> data from the ui.subject fields
>> # Note: Fields which have max > 1 are always passed as array
>> subject:
>> dn: CN=[% hostname %],serialNumber=[% serial %]
>> # You can use the fields from ui.subject here
>>
>> # this is attached to the certificate, all fields from ui
>> can be used
>> metadata:
>> requestor: "[% requestor_realname %]"
>> email: "[% requestor_email %]"
>> owner_contact: "[% owner_contact || requestor_email %]"
>> entity: "[% hostname FILTER lower %]"
>>
>>
>> # A standard template used from the automated enrollment workflows
>> enroll:
>> subject:
>> # All RDNs from the PKCS10 containers DN are avaiable here
>> # Items from the SAN section are also available here
>> # Note that all items are always arrays, for the SAN
>> the pipe
> is
>> # used as separator character to split individual items
later
>> dn: CN=[% CN.0 %],serialNumber=[% SN.0 %]
>>
>>
>> # metadata source items added via the "params" section of the
>> # PersistMetadata action in the workflow are available in data
>> # DN/SAN parts are available as defined above
>> metadata:
>> system_id: "[% data.cust_id %]"
>> server_id: "[% data.server_id %]"
>> entity: "[% CN.0.replace(':.*','') FILTER lower %]"
>>
>> # Consumed by RenderExtensions to add extra extensions
>> extension:
>> securityIdentifier: '[% ext.sid %]'
>> certificateTemplateName: '[% ext.template_name %]'
>> certificateTemplate:
>> - '[% ext.template.oid %]'
>> - '[% ext.template.major %]'
>> - '[% ext.template.minor %]'
>>
>> # Profile extensions - set 0/1 as needed
>> extensions:
>> # Enable this to copy extensions from the CSR to the Certificate
>> # THIS MIGHT BE DANGEROUS, see copy_extensions of openssl ca
command
>> # For security reasons hhis can NOT be set in default.yaml
>> copy: copy
>>
>> basic_constraints:
>> critical: 1
>> ca: 0
>> # only relevant with ca = 1
>> path_length: 0
>>
>> key_usage:
>> critical: 0
>> digital_signature: 0
>> non_repudiation: 1
>> key_encipherment: 0
>> data_encipherment: 0
>> key_agreement: 0
>> key_cert_sign: 0
>> crl_sign: 0
>> encipher_only: 0
>> decipher_only: 0
>>
>> extended_key_usage:
>> critical: 0
>> # these are OIDs, some OIDs are known and have names
>> client_auth: 0
>> server_auth: 0
>> email_protection: 0
>> code_signing: 0
>> time_stamping: 0
>> ocsp_signing: 0
>> # Any other oid can be given by number
>> 1.3.6.1.4.1.311.20.2.2: 0
>>
>>
>> subject_key_identifier:
>> critical: 0
>> hash: 1
>>
>> authority_key_identifier:
>> critical: 0
>> keyid: 1
>> issuer: 1
>>
>> issuer_alt_name:
>> critical: 0
>> copy: 0
>>
>> crl_distribution_points:
>> critical: 0
>> # uri can be scalar or list
>> uri:
>> - http://localhost/cacrl.crt
>> - ldap://localhost/cn=[% ISSUER.CN.0
>> %],dc=OpenXPKI,dc=org
>>
>> authority_info_access:
>> critical: 0
>> # ca_issuers and ocsp can be scalar or list
>> ca_issuers: http://localhost/cacert.cer
>> ocsp: http://ocsp.openxpki.org/
>>
>> oid:
>> 1.2.3.4.5.6:
>> critical: 1
>> copy: 1
>> # end of extensions
>>
>> # Define the input fields you used below here
>> #template:
>> --
>>
>> The CSR looks like this:
>> --
>>
>> Certificate Request:
>> Data:
>> Version: 1 (0x0)
>> Subject: CN=Device01, O=xxxx inc/serialNumber=1234567
>> Subject Public Key Info:
>> Public Key Algorithm: id-ecPublicKey
>> Public-Key: (384 bit)
>> pub:
>> xxxx
>> ASN1 OID: secp384r1
>> NIST CURVE: P-384
>> Attributes:
>> Requested Extensions:
>> 1.2.3.4.5.6: critical
>> xxxxxx
>> Signature Algorithm: ecdsa-with-SHA256
>> Signature Value:
>> xxxx
>>
>> --
>>
>>
>> So far I've only tried the manual workflow. I can see it loads the
>> serial.yaml since it puts the placeholder data and labels in there,
>> but the serialnumber data from CSR is not filled.
>> For the custom OID I'm not that far yet since it fails to the serial.
>>
>> Any idea what should be changed? Is the serial number even properly
>> supported?
>>
>>
>> //HS
>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
