Re: Adding OIDs
hello everyone, I tried to add OID in objects.txt int his way X509 57 : DUID:DeviceUID and then compiled using these commands from objects folder [ /usr/local/src/openssl-1.0.0a/crypto/objects ]. #perl objects.pl objects.txt obj_mac.num obj_mac.h it displayed, Added OID DeviceUID #perl obj_dat.pl obj_mac.h obj_dat.h then after that i have seen my new OID got added in obj_mac.num I have again rebuild my openssl src from /usr/local/src/openssl-1.0.0a/ using ./configure , and make and restarted my openca , httpd . And followed generate new CA request to find my OID at the CA certificates signing request certificate.But i couldn't find it added under subject filed of certificate request. Please let me know where i did mistake. If you find thread related to this procedure please share that link to me. thanks alot, aparna hello everyone, I solved my problem.I did small mistake at prefix path.OID has been added. No problem now. thanks, aparna Dr. Stephen Henson wrote: On Wed, Jun 30, 2010, Mag wrote: Thanks for the various replies. On Wed, Jun 30, 2010 at 4:26 AM, Dr. Stephen Henson st...@openssl.org wrote: If you want an extension then you need to make use of the mini-ASN1 compiler to add the appropriate fields. Note that if you add a new OID name in this way it only affects that instance of OpenSSL: other applications and other instances of OpenSSL will still display the numeric version of the OID and they wont display the fields of an extension as they don't know how to parse and display it. Yes, I should've clarified this originally, I want to add extensions a la the Extensions type. I did try out the form of adding new OIDs to the distinguished name(s) and that seems to work ok, but can you elaborate on what you mean by using the mini-ASN.1 compiler to support new OIDs? As far as I can tell this refers to either generating an ASN.1 encoding via the asn1parse -genstr ... or the ASN1_gen_nconf() function. How are those intended to be integrated in creation of a certificate? Does this require programmatically constructing the certificates? See: http://www.openssl.org/docs/apps/x509v3_config.html#ARBITRARY_EXTENSIONS Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context: http://old.nabble.com/Adding-OIDs-tp29030174p34594102.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding OIDs
Hi Mag, Thus wrote Mag (mag...@gmail.com): I'm interested in using custom OIDs for private application purposes. I've found the documentation to be deficient. For instance, in openssl.cnf it gives an example line of [ new_oids ] #testoid1=1.2.3.4 When I uncomment that line I can't even tell what the effect is; e.g., openssl req ... doesn't then prompt me for a testoid1 field. Just what is the effect of this supposed to be? I think this only defines a name that you can refer to in the config file, such as # testoid2=${testoid1}.5.6 Amongst my first questions is, when you add OIDs in this manner are you able to use the command line tool to supply values or does this require programmatic construction of certificates? (There's obviously the further question if yes of how the data is typed.) My understanding is that this requires changes to the sourcecode. Either you add your object to objects.txt and recompile openssl. Or you call OBJ_create() from your application. Others, please correct me if I'm wrong. Best regards, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding OIDs
Hi Mag, On Tue, Jun 29, 2010 at 06:43:24PM -0700, Mag wrote: I'm interested in using custom OIDs for private application purposes. I've found the documentation to be deficient. For instance, in openssl.cnf it gives an example line of [ new_oids ] #testoid1=1.2.3.4 When I uncomment that line I can't even tell what the effect is; e.g., openssl req ... doesn't then prompt me for a testoid1 field. Just what is the effect of this supposed to be? The effect is that openssl now knows a name for this OID. If you want a DN entry with this OID, add it as above in [ new_oids ], go to section [ req_distinguished_name ] and add the lines: testoid1 = What a great new OID testoid1_default = Guess what Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding OIDs
Hi Mag, -Original Message- From: Mag I'm interested in using custom OIDs for private application purposes. I've found the documentation to be deficient. For instance, in openssl.cnf it gives an example line of [ new_oids ] #testoid1=1.2.3.4 When I uncomment that line I can't even tell what the effect is; e.g., openssl req ... doesn't then prompt me for a testoid1 field. Just what is the effect of this supposed to be? That line only defines the label testoid1 and assigns the value 1.2.3.4. To use a private oid, you have to define its asn1 structure first. Afterwards you can include it in your request or certificate by referencing it in the appropriate config file section. If you defined a label, you can reference it by that name, otherwise you just use the dotted notation. Amongst my first questions is, when you add OIDs in this manner are you able to use the command line tool to supply values or does this require programmatic construction of certificates? (There's obviously the further question if yes of how the data is typed.) Yes, of course those defines are picked up by the commandline tools. For an example, check last month's archive for the thread Private Key Usage Period. HTH, Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding OIDs
On Wed, Jun 30, 2010, Christian Hohnstaedt wrote: Hi Mag, On Tue, Jun 29, 2010 at 06:43:24PM -0700, Mag wrote: I'm interested in using custom OIDs for private application purposes. I've found the documentation to be deficient. For instance, in openssl.cnf it gives an example line of [ new_oids ] #testoid1=1.2.3.4 When I uncomment that line I can't even tell what the effect is; e.g., openssl req ... doesn't then prompt me for a testoid1 field. Just what is the effect of this supposed to be? The effect is that openssl now knows a name for this OID. If you want a DN entry with this OID, add it as above in [ new_oids ], go to section [ req_distinguished_name ] and add the lines: testoid1 = What a great new OID testoid1_default = Guess what Just to add a brief clarification as this thread has answered most of the issues already. If you want a DN component then the above syntax is fine. OpenSSL will use a DirectoryString for the component if nothing else is defined internally, which will happen in this case. If you want an extension then you need to make use of the mini-ASN1 compiler to add the appropriate fields. Note that if you add a new OID name in this way it only affects that instance of OpenSSL: other applications and other instances of OpenSSL will still display the numeric version of the OID and they wont display the fields of an extension as they don't know how to parse and display it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding OIDs
Hi Patrick, all, thanks for correcting my assumptions. Thus wrote Eisenacher, Patrick (patrick.eisenac...@bdr.de): That line only defines the label testoid1 and assigns the value 1.2.3.4. To use a private oid, you have to define its asn1 structure first. Afterwards you can include it in your request or certificate by referencing it in the appropriate config file section. If you defined a label, you can reference it by that name, otherwise you just use the dotted notation. Amongst my first questions is, when you add OIDs in this manner are you able to use the command line tool to supply values or does this require programmatic construction of certificates? (There's obviously the further question if yes of how the data is typed.) Yes, of course those defines are picked up by the commandline tools. Now I understand that the oid definitions in the config file are not just used internally (for defining extensions etc) but they're picked up by the command line tools. Is it correct that only req and ca use the oid definitions and others like x509 don't? I generated a certificate request and a test certificate with an extension that has the oid 1.2.3.4 and defined [ new_oids ] myNewLabel = 1.2.3.4 in openssl.cnf openssl req -in myReq.pem -noout -text shows the name myNewLabel when it displays the extension openssl x509 -in myCert.pem -noout -text shows only the numeric representation. In this case, I'd really need to modify the sources to make openssl display the name. Is my understanding correct or am I missing something? Thanks, Martin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding OIDs
Hi Martin, -Original Message- From: Martin Kaiser Now I understand that the oid definitions in the config file are not just used internally (for defining extensions etc) but they're picked up by the command line tools. Is it correct that only req and ca use the oid definitions and others like x509 don't? I'd expect them to be picked up by every commandline tool that you can feed in a config file. Since x509 has no option for feeding in the config file, it doesn't know about the definitions you made there. As such, it can only give you the numerical representation, as you have already witnessed. A wild guess: Have you checked whether the -extfile option gets evaluated for displaying purposes as well? Patrick Eisenacher __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding OIDs
On Wed, Jun 30, 2010, Eisenacher, Patrick wrote: Hi Martin, -Original Message- From: Martin Kaiser Now I understand that the oid definitions in the config file are not just used internally (for defining extensions etc) but they're picked up by the command line tools. Is it correct that only req and ca use the oid definitions and others like x509 don't? I'd expect them to be picked up by every commandline tool that you can feed in a config file. Since x509 has no option for feeding in the config file, it doesn't know about the definitions you made there. As such, it can only give you the numerical representation, as you have already witnessed. A wild guess: Have you checked whether the -extfile option gets evaluated for displaying purposes as well? Note that there are two separate ways to add OIDs. The recommended way is via the ASN1 OBJECT configuration module, documentation is here: http://www.openssl.org/docs/apps/config.html# Any application supporting configuration modules will then see the new defintions (include *all* the openssl utilities). Even if the openssl utility doesn't have an option to specify a configuration file you can either modify the default configuration file or set the OPENSSL_CONF environment variable to specify an alternative. The alternative older oid_section form is retained for compatibility but is only supported by ca and req and no other applications (unless they explicitly include code to support it). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding OIDs
Thanks for the various replies. On Wed, Jun 30, 2010 at 4:26 AM, Dr. Stephen Henson st...@openssl.org wrote: If you want an extension then you need to make use of the mini-ASN1 compiler to add the appropriate fields. Note that if you add a new OID name in this way it only affects that instance of OpenSSL: other applications and other instances of OpenSSL will still display the numeric version of the OID and they wont display the fields of an extension as they don't know how to parse and display it. Yes, I should've clarified this originally, I want to add extensions a la the Extensions type. I did try out the form of adding new OIDs to the distinguished name(s) and that seems to work ok, but can you elaborate on what you mean by using the mini-ASN.1 compiler to support new OIDs? As far as I can tell this refers to either generating an ASN.1 encoding via the asn1parse -genstr ... or the ASN1_gen_nconf() function. How are those intended to be integrated in creation of a certificate? Does this require programmatically constructing the certificates? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adding OIDs
On Wed, Jun 30, 2010, Mag wrote: Thanks for the various replies. On Wed, Jun 30, 2010 at 4:26 AM, Dr. Stephen Henson st...@openssl.org wrote: If you want an extension then you need to make use of the mini-ASN1 compiler to add the appropriate fields. Note that if you add a new OID name in this way it only affects that instance of OpenSSL: other applications and other instances of OpenSSL will still display the numeric version of the OID and they wont display the fields of an extension as they don't know how to parse and display it. Yes, I should've clarified this originally, I want to add extensions a la the Extensions type. I did try out the form of adding new OIDs to the distinguished name(s) and that seems to work ok, but can you elaborate on what you mean by using the mini-ASN.1 compiler to support new OIDs? As far as I can tell this refers to either generating an ASN.1 encoding via the asn1parse -genstr ... or the ASN1_gen_nconf() function. How are those intended to be integrated in creation of a certificate? Does this require programmatically constructing the certificates? See: http://www.openssl.org/docs/apps/x509v3_config.html#ARBITRARY_EXTENSIONS Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org