subject:"ASN1_generate_v3\: reading X509 extension via the API"

Re: ASN1_generate_v3: reading X509 extension via the API

2014-01-18 Thread Graham Leggett

On 18 Jan 2014, at 2:25 PM, "Dr. Stephen Henson"  wrote:

> Have a look at demos/x509/mkcert.c

I eventually found it was as simple as this:

*extension = X509V3_EXT_conf(NULL, NULL, (char *)name, (char *)val);

What threw me was whether it was ok to pass NULL or not (it is).

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ASN1_generate_v3: reading X509 extension via the API

2014-01-18 Thread Dr. Stephen Henson

On Sat, Jan 18, 2014, Graham Leggett wrote:

> 
> Some more digging and I still can't find how openssl parses extensions.
> 
> Reverse engineering the code, it appears that ASN1_generate_v3() expects to
> be passed a parameter string that is a name value pair separated with a
> colon, which the string "nonRepudiation" isn't.
> 
> I tried passing the string "OID:1.3.6.1.5.5.7.3.2" for the extendedKeyUsage
> extension, and ASN1_generate_v3() goes through the motions, but the client
> side complains that the extendedKeyUsage value in the generated certificate
> is invalid.
> 
> Can anyone explain what the correct sequence of API calls should be to
> convert "nonRepudiation" and "clientAuth" into something that openssl can
> add as an extension to a certificate?
> 

Have a look at demos/x509/mkcert.c

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ASN1_generate_v3: reading X509 extension via the API

2014-01-18 Thread Graham Leggett

On 18 Jan 2014, at 4:09 AM, Graham Leggett  wrote:

> I am trying to load the name and value of an X509 extension programmatically 
> via the API (in other words, the openssl.cnf file isn't being used), and I am 
> struggling with openssl telling me that the tag doesn't exist.
> 
> The extension I want to load has the name "keyUsage" and value 
> "nonRepudiation,digitalSignature,keyEncipherment", and the error I get looks 
> like this:
> 
> 139684350600856:error:0D0B10C2:asn1 encoding routines:ASN1_CB:unknown 
> tag:asn1_gen.c:303:tag=nonRepudiation,digitalSignature,keyEncipherment

Some more digging and I still can't find how openssl parses extensions.

Reverse engineering the code, it appears that ASN1_generate_v3() expects to be 
passed a parameter string that is a name value pair separated with a colon, 
which the string "nonRepudiation" isn't.

I tried passing the string "OID:1.3.6.1.5.5.7.3.2" for the extendedKeyUsage 
extension, and ASN1_generate_v3() goes through the motions, but the client side 
complains that the extendedKeyUsage value in the generated certificate is 
invalid.

Can anyone explain what the correct sequence of API calls should be to convert 
"nonRepudiation" and "clientAuth" into something that openssl can add as an 
extension to a certificate?

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ASN1_generate_v3: reading X509 extension via the API

2014-01-17 Thread Graham Leggett

Hi all,

I am trying to load the name and value of an X509 extension programmatically 
via the API (in other words, the openssl.cnf file isn't being used), and I am 
struggling with openssl telling me that the tag doesn't exist.

The extension I want to load has the name "keyUsage" and value 
"nonRepudiation,digitalSignature,keyEncipherment", and the error I get looks 
like this:

139684350600856:error:0D0B10C2:asn1 encoding routines:ASN1_CB:unknown 
tag:asn1_gen.c:303:tag=nonRepudiation,digitalSignature,keyEncipherment

The code that is trying to load in the extension looks like this:

/* find the name of the extension */
if (!(obj = OBJ_txt2obj(name, 0))) {
// error handler, this works fine when name has value "keyUsage"
}

type = ASN1_generate_v3((char *)val, NULL);
if (type == NULL) {
// we bomb out here with val as 
"nonRepudiation,digitalSignature,keyEncipherment"

When I initialise openssl, I run the following two functions:

OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();

Can anyone shed some light on what I might be doing wrong?

The code above was obtained by reverse engineering openssl itself, what is 
throwing me is that I can't see how openssl understands the words 
"nonRepudiation,digitalSignature,keyEncipherment" when my code doesn't.

Regards,
Graham
--

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: ASN1_generate_v3: reading X509 extension via the API

Re: ASN1_generate_v3: reading X509 extension via the API

Re: ASN1_generate_v3: reading X509 extension via the API

ASN1_generate_v3: reading X509 extension via the API

4 matches

Site Navigation

Mail list logo

Footer information