Re: Building a DER sequence
On 7/3/2019 4:30 PM, Viktor Dukhovni wrote: On Jul 3, 2019, at 2:41 PM, Ken Goldman wrote: That link points to the X509_dup page. It doesn't explain how to build a DER sequence, does it? The documentation is incomplete, and much RTFS is required, but it and code pointers should get you started. Here's what I have today. I have a STACK_OF(ASN1_TYPE) to which I have added the issuer, validity, and subject. I can get the DER with i2d_ASN1_SEQUENCE_ANY. I have a STACK_OF(X509_EXTENSION) to which I have added several extensions. Questions: 1 - Is the an API sequence to add the extension STACK to the asn1_type STACK? 2 - If not, is there an API sequence to get the DER for the extension STACK. If so, I can append it and adjust the overall length. 3 - Is there a way to get the extension DER from a standard x509 certificate. If so, I can create it and pull out what I need. 4 - I'm trying to create DER that includes only issuer, validity, subject, and extensions. It's not a standard X509 certificate. Is there a better way?
Re: Building a DER sequence
On Jul 3, 2019, at 2:41 PM, Ken Goldman wrote: > That link points to the X509_dup page. It doesn't explain how to > build a DER sequence, does it? The documentation is incomplete, and much RTFS is required, but it and code pointers should get you started. -- Viktor.
Re: Building a DER sequence
On 7/1/2019 6:03 PM, Viktor Dukhovni wrote: On Mon, Jul 01, 2019 at 09:40:25PM +, Salz, Rich via openssl-users wrote: I see those macros, but ... is there any documentation? No. There's a high-level overview at: https://www.openssl.org/docs/manmaster/man3/X509_dup.html That link points to the X509_dup page. It doesn't explain how to build a DER sequence, does it?
Re: Building a DER sequence
On 7/1/2019 5:19 PM, Viktor Dukhovni wrote: On Jun 25, 2019, at 10:59 AM, Ken Goldman wrote: I have to build a DER byte stream for a sequence containing: algorithm ID issuer validity subject name extensions What is the general approach? See for example: https://github.com/openssl/openssl/blob/bc42bd6298702a1abf70aa6383d36886dd5af4b3/crypto/x509/x_x509.c#L18-L31 Does link just point to array of macros? If so, they don't help without any explanation.
Re: Building a DER sequence
On Mon, Jul 01, 2019 at 09:40:25PM +, Salz, Rich via openssl-users wrote: > >I see those macros, but ... is there any documentation? > > No. There's a high-level overview at: https://www.openssl.org/docs/manmaster/man3/X509_dup.html -- Viktor.
Re: Building a DER sequence
>I see those macros, but ... is there any documentation? No.
Re: Building a DER sequence
> On Jun 25, 2019, at 10:59 AM, Ken Goldman wrote: > > I have to build a DER byte stream for a sequence containing: > > algorithm ID > issuer > validity > subject name > extensions > > What is the general approach? See for example: https://github.com/openssl/openssl/blob/bc42bd6298702a1abf70aa6383d36886dd5af4b3/crypto/x509/x_x509.c#L18-L31 -- -- Viktor.
Re: Building a DER sequence
On 6/26/2019 11:34 AM, Salz, Rich via openssl-users wrote:
Do I construct a sequence and add items to it - top down?
No, because then you have to go back and patch the sequence length and perhaps
slide everything up or down a copule of bytes.
I would look at an existing simple sequence and start writing your own based on
that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files. Another set of
macros will declare the i2d/d2i and PEM functions if needed.
[I'm happy to read if someone can point me to an article, but I haven't
found anything.]
I am stuck on the X509 extensions. I.e., with sample certificates,
dumpasn1 shows:
[snip]
453 448: . . [3] {
457 444: . . . SEQUENCE {
461 74: . . . . SEQUENCE {
463 3: . . . . . OBJECT IDENTIFIER subjectAltName (2 5 29 17)
: . . . . . . (X.509 extension)
[snip]
What's that [3]? Perhaps it means x509v3?
With openssl, it dumps as
X509v3 extensions:
X509v3 Subject Alternative Name: critical
How do I build the x509v3 extensions item (and convert it to an
ASN1_TYPE that I can push on the stack.
That is, I have the sequence using
X509V3_EXT_conf_nid
i2d_X509_EXTENSION
ASN1_STRING_set
but how do I encapsulate that in a [3] and then to an ASN1_TYPE that I
can push on the STACK_OF(ASN1_TYPE) stack?
~~
A separate question:
I can build an X509_EXTENSION using X509V3_EXT_conf_nid. How would I
connect several of them. Would I use STACK_OF(X509_EXTENSION), push
the extensions, and then use i2d_something? What's the 'something'.
Re: Building a DER sequence
On 6/26/2019 11:34 AM, Salz, Rich via openssl-users wrote: Do I construct a sequence and add items to it - top down? No, because then you have to go back and patch the sequence length and perhaps slide everything up or down a copule of bytes. I would look at an existing simple sequence and start writing your own based on that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files. Another set of macros will declare the i2d/d2i and PEM functions if needed. I see those macros, but ... is there any documentation? What partially worked was create an X509 item use i2d to serialize it ASN1_STRING_SET using the DER built an ASN1_TYPE from the ASN1_STRING with ASN1_TYPE_set sk_ASN1_TYPE_push and then i2d_ASN1_SEQUENCE_ANY to get the DER result. The items are _X509_NAME and X509_VAL. Is there a shorter way?
Re: Building a DER sequence
Do I construct a sequence and add items to it - top down? No, because then you have to go back and patch the sequence length and perhaps slide everything up or down a copule of bytes. I would look at an existing simple sequence and start writing your own based on that; look for ASN1_SEQUENCE macros in crypto/x509/x*.c files. Another set of macros will declare the i2d/d2i and PEM functions if needed.
Building a DER sequence
I have to build a DER byte stream for a sequence containing: algorithm ID issuer validity subject name extensions What is the general approach? Is there openssl support for this? Do I construct a sequence and add items to it - top down? Or do I construct the items and then make a sequence from it - bottom up? Or do I place the items in a custom structure and then write the i2d() myself? Any advice, pointers, or sample code would be welcome.
