On Fri, Mar 21, 2003, Aleix Conchillo Flaque wrote:
>
> First we need to create a new extension identifier (object identifier,
> OID) that will identify the extension. The OID is expressed in OpenSSL
> by the ASN1_OBJECT structure. In OpenSSL we create a new OID like this:
>
> /**
> * First field is the OID itself, which will be converted to DER
> * encoding. Next fields are the short and long description of
> * this OID.
> * Note that the descriptions will not be included as the
> * extension identifier, but the DER encoding of the OID.
> */
> int nid = OBJ_create("1.2.3.4", "TestOID",
> "Long description TesT OID");
> ASN1_OBJECT* obj = OBJ_nid2obj(nid);
>
Creating a random OID is a bad idea. You should get a number assigned for your
organisation and use a subtree of that.
See:
http://www.iana.org/cgi-bin/enterprise.pl
If you, for example were allocated the number 9999 you could then use any OID
starting with 1.3.6.1.4.1.9999 such as 1.3.6.1.4.1.9999.1
>
> Next step is to create our custom X509 extension identified by the OID
> created earlier. The basic fields of an X509 extension are: the OID, a
> boolean saying whether the extension is critical or not, and the
> extension data. When an extension is critical it can not be read by
> applications who do not know anything about it. so in our case we should
> turn it to non-critical. Here is how we create our extension:
>
> /* Create data to be included in the extension */
> ASN1_OCTET_STRING* data = ::ASN1_OCTET_STRING_new();
> ASN1_OCTET_STRING_set(data, "our data", -1);
>
Adding unstructured data to an extension is a violation of the various
standards. What you need to do instead is to add an encoded structure.
In many cases all that is wanted is a simple string. The easiest way to handle
that is to create an 'alias' to an already existing extension such as Netscape
comment which already uses a string. For example with:
X509V3_ext_add_alias(NID_netscape_comment, new_oid);
After this call the new oid behaves in the same way as Netscape comment and
the standard calls for extension creation can be used in doc/openssl.txt
An alternative technique would be to make use of the mini ASN1 compiler in
OpenSSL 0.9.8, this allows the standard configuration files to be used in a
human readable syntax. For example:
1.3.6.1.4.1.9999.1 = ASN1:IA5String:My Extension Value
Some people will not like the idea of using a development version of OpenSSL
in such a way so instead 0.9.8 can be used to just generate the encoding and
use that in a stable version of OpenSSL such as 0.9.7.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
