Hello,
I'm trying to add a custom bag attribute to a PKCS12-encoded
file, and after googling the 'net, it appears that OpenSSL
currently doesn't support adding arbitrary OIDs to a PKCS7 bag.
Is this correct?
In particular, I want to add an OID key of 1.3.6.1.4.1.311.17.2 with no
data associated with it. The reason is Windows XP requires this
attribute/OID to be present in a cert before it will use that cert to
perform machine-based (host-based) authentication using EAP/TLS on a
wireless network. (And obviously, since I'm writing this, I'm trying
to get machine-based authentication working...)
Are there any plans to enhance OpenSSL so that it can add arbitrary
OIDs to PKCS7 bags, either from the openssl.conf file or from the
command line?
If anyone is interested, the following patch enables OpenSSL
to add this OID, although it doesn't set the key exactly the
same way that a Microsoft CA sets it (mainly because I don't know
how to add a bag attribute with no values associated with it).
After running this patch, the obj_dat.h and obj_mac.h files have
to be re-built.
To add the OID, use a command similar to the following:
openssl pkcs12 -export -LMK -in cert.pem -out cert.p12
Thanks!
- Dan
Below is the patch, against OpenSSL 0.9.7d:
Please note that this patch also documents the -CSP option for pkcs12
in the openssl runtime.
diff -u -r openssl-0.9.7d/apps/pkcs12.c openssl-0.9.7d-new/apps/pkcs12.c
--- openssl-0.9.7d/apps/pkcs12.c 2003-12-27 07:40:56.000000000 -0700
+++ openssl-0.9.7d-new/apps/pkcs12.c 2004-06-16 15:14:01.000000000 -0600
@@ -99,6 +99,7 @@
char **args;
char *name = NULL;
char *csp_name = NULL;
+ int LMK = 0;
PKCS12 *p12 = NULL;
char pass[50], macpass[50];
int export_cert = 0;
@@ -207,6 +208,8 @@
args++;
name = *args;
} else badarg = 1;
+ } else if (!strcmp (*args, "-LMK")) {
+ LMK = 1;
} else if (!strcmp (*args, "-CSP")) {
if (args[1]) {
args++;
@@ -308,6 +311,8 @@
BIO_printf (bio_err, "-password p set import/export password source\n");
BIO_printf (bio_err, "-passin p input file pass phrase source\n");
BIO_printf (bio_err, "-passout p output file pass phrase source\n");
+ BIO_printf (bio_err, "-LMK Add a Microsoft Local Machine Key Set
attribute to the pkcs7 bag\n");
+ BIO_printf (bio_err, "-CSP \"name\" Add a Microsoft CSP Name attribute to
the pkcs7 bag\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf (bio_err, "-engine e use engine e, possibly a hardware
device.\n");
#endif
@@ -584,7 +589,8 @@
PKCS8_PRIV_KEY_INFO_free(p8);
p8 = NULL;
if (name) PKCS12_add_friendlyname (bag, name, -1);
- if(csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1);
+ if (csp_name) PKCS12_add_CSPName_asc(bag, csp_name, -1);
+ if (LMK) PKCS12_add_LMKset_asc(bag, "", 0);
PKCS12_add_localkeyid (bag, keyid, keyidlen);
bags = sk_PKCS12_SAFEBAG_new_null();
sk_PKCS12_SAFEBAG_push (bags, bag);
diff -u -r openssl-0.9.7d/crypto/pkcs12/p12_attr.c
openssl-0.9.7d-new/crypto/pkcs12/p12_attr.c
--- openssl-0.9.7d/crypto/pkcs12/p12_attr.c 2001-06-10 18:43:08.000000000 -0600
+++ openssl-0.9.7d-new/crypto/pkcs12/p12_attr.c 2004-06-16 12:12:24.000000000 -0600
@@ -108,6 +108,16 @@
return 0;
}
+int PKCS12_add_LMKset_asc(PKCS12_SAFEBAG *bag, const char *name,
+ int namelen)
+{
+ if (X509at_add1_attr_by_NID(&bag->attrib, NID_LocalKeySet,
+ MBSTRING_ASC, (unsigned char *)name, namelen))
+ return 1;
+ else
+ return 0;
+}
+
int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name,
int namelen)
{
diff -u -r openssl-0.9.7d/crypto/objects/objects.txt
openssl-0.9.7d-new/crypto/objects/objects.txt
--- openssl-0.9.7d/crypto/objects/objects.txt 2003-08-11 03:37:08.000000000 -0600
+++ openssl-0.9.7d-new/crypto/objects/objects.txt 2004-06-16 11:34:10.000000000
-0600
@@ -210,6 +210,7 @@
pkcs9 21 : : localKeyID
!Cname ms-csp-name
1 3 6 1 4 1 311 17 1 : CSPName : Microsoft CSP Name
+1 3 6 1 4 1 311 17 2 : LocalKeySet : Microsoft Local Key set
!Alias certTypes pkcs9 22
certTypes 1 : : x509Certificate
certTypes 2 : : sdsiCertificate
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
