|
Hello All, The client piece, in the client/server application I
am developing, issues a programmatic certificate signing request. The reason for issue and a list of PC Ids
for which the certificate is to be issued are provided outside the request
itself. The server, acting here as
a CA, constructs the certificate based on information in the certificate
request and information from other sources. It needs to include in the final
certificate, amongst others, the reason the certificate is being issued and the
list of client identifiers for which it is issued. The server uses the following code
fragment, based on the selfsign example:
/* try a custom extension */
/**/
{ int nid; nid = OBJ_create("1.2.3.4",
"IssueReason", "Reason for Issue"); X509V3_EXT_add_alias(nid, NID_netscape_comment); ex = X509V3_EXT_conf_nid(NULL, NULL, nid, cReason); X509_add_ext(x,ex,-1); X509_EXTENSION_free(ex); nid = OBJ_create("1.2.3.5", "IssuedTo",
"Issued to"); X509V3_EXT_add_alias(nid, NID_netscape_comment); ex = X509V3_EXT_conf_nid(NULL, NULL, nid, cpPCIDsBuf); X509_add_ext(x,ex,-1); X509_EXTENSION_free(ex);
} This happily produces the goods. After this code executes the server
will, when asked with PEM_write_bio_X509, display a human-readable version of
the certificate like: -------
d8:a1:c1:7f:3c:bd:15:fc:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment,
Key Agreement
X509v3 Subject Key Identifier:
74:85:02:1A:2F:13:D7:52:AC:0A:0A:17:6C:FC:F2:C9:CC:EB:3C:61
Netscape Cert Type:
SSL Client, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
Reason for Issue:
Reason for Issue: The second reason for issue: We are asking for a new
certificate at this junction
Issued to:
Issued for PC IDs: FRB16155Z50, FRB16155Z50, FRB16155Z50
Signature Algorithm: md5WithRSAEncryption
72:c3:4b:53:45:cd:1c: +++++++ Note the ‘Reason for Issue’ and ‘Issued
to’ custom extensions. The
extensions are included in the certificate the client gets. The client, when asked with PEM_write_bio_X509,
to display a human-readable certificate shows:
e1:44:7c:b9:a2:0f:bf:cc:48:
d8:a1:c1:7f:3c:bd:15:fc:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment,
Key Agreement
X509v3 Subject Key Identifier:
74:85:02:1A:2F:13:D7:52:AC:0A:0A:17:6C:FC:F2:C9:CC:EB:3C:61
Netscape Cert Type:
SSL Client, Object Signing
Netscape Comment:
OpenSSL Generated Certificate
1.2.3.4:
.cReason for Issue: The second reason for issue: We are asking for a new
certificate at this junction
1.2.3.5:
.8Issued for PC IDs: FRB16155Z50, FRB16155Z50,
FRB16155Z50
Signature Algorithm: md5WithRSAEncryption
72:c3:4b:53:45:cd:1c: +++++++ The question I have is what do I
need to tell the client so that it can recognise and properly display the
custom extensions. I tried the following in the client initialization:
{ int nid; nid = OBJ_create("1.2.3.4",
"IssueReason", "Reason for Issue"); X509V3_EXT_add_alias(nid, NID_netscape_comment); nid = OBJ_create("1.2.3.5", "IssuedTo",
"Issued to"); X509V3_EXT_add_alias(nid, NID_netscape_comment);
} but
that did not help. I tried the same
code just before SSL_connect but that too did not help. Any pointers will be greatly appreciated. TIA Regards -- Senior Consultant SeeBeyond Pty. Ltd. Ph. +61 2 9263-2700 |
- RE: Custom v3 extensions Michael Czapski
- RE: Custom v3 extensions Michael Czapski
