First of all let me apologize for the red herring of suggesting using command line options. I keep re- running into the "man req" section on "-subj" while forgetting that without the private key this is not useful for changing the subject name in a CSR.
If you haven't already stumbled onto this you might want to take a look at the file "openssl.txt" in the directory "doc" in the OpenSSL source distribution. Let me quote a section that is not too far from the top:
The syntax of raw extensions is governed by the extension code: it can for example contain data in multiple sections. The correct syntax to use is defined by the extension code itself: check out the certificate policies extension for an example.
In addition it is also possible to use the word DER to include arbitrary data in any extension.
1.2.3.4=critical,DER:01:02:03:04 1.2.3.4=DER:01020304
The value following DER is a hex dump of the DER encoding of the extension. Any extension can be placed in this form to override the default behaviour. For example:
basicConstraints=critical,DER:00:01:02:03
WARNING: DER should be used with caution. It is possible to create totally invalid extensions unless care is taken.
WARNING: I HAVE NEVER TRIED THIS SO I CANNOT SWEAR THAT IT WILL SUCCEED! But the clear implication is that if you have registered the extension object ID you can cause arbitrary bytes to be placed in the extension. In the above 1.2.3.4 would be the object ID of the extension, while 00,01,02 etc are the data.
Clearly this is somewhat more painful even than Assembly Language, but it's what I had to do on my homemade computer that had 512 bytes of memory. An alternative would be to write code to take a saner format for the data you want to put into the extensions, but at least this is an approach that does not require change to the source code.
If you do decide to write code to process your extension, the documentation at the bottom of that file should be useful. It is titled "X509V3 Extension code: programmers guide".
<capitalist running pig-dog> Let me also note that there are several very experienced and capable people posting to this list who have in their canned signoff line a solicitation for their desire to enter into "work for pay" deals. That is, if you want to trade off money for work, you could pay one to make the required modification. </capitalist running pig-dog>
If there is some showstopper here that I haven't seen, please post so I haven't sent ray down yet another blind alley...
ray v wrote:
You know I started by trying to add extensions but I could not figure out how to get x509 to accept them.
Our company has OIDs assign, I thought that by using
the oids_section = new_oids, I could make this work.
I would love to use extensions, is there a way to do this without modifying the openssl code? Also, since I'm accepting a cert request from outside what section do I put the extensions in. My thinking was x509 when I take the cert request to create and sign the new certificate?
It would be helpful to have an example to work with.
Thanks again Charles, I'll figure this thing out sooner or later. OH, I'll grab the new docs and see what juicy morsels can be found!
--- Charles Cranston <[EMAIL PROTECTED]> wrote:
OK, the problem you will run into is that the Certificate Signing Request (CSR) is a DN and Public Key combination that is signed by the private key. Since this is done by your client, you will not have access to the private key.
The OpenSSL software, as written, uses this signing as proof that the person making the request in fact has the private key. This is to keep just anybody from trying to attach their name to a public key they might find on the net.
The problem is that you are trying to change the DN, which to the software "looks like" you are (might be) changing the name to refer to a different person. In fact, you are not, you are instead adding information without changing the identity, but the software is stupid and doesn't know that.
It is my belief that you could write a program calling the OpenSSL library to do signing with changes to the DN, the source code to the OpenSSL command line tools would give you a start on such a task.
Alternatively, you could modify the source code to the OpenSSL command line signing tools to disable the test for validation on the signing of the CSR, then process the CSR submitted with the old DN into one requesting signing for the new DN. It would be signed by you instead of the requestor, but you would disable the test that would recognize this.
But, are you sure you couldn't do the same thing by making a custom extension that would carry the same information you're trying to add to the DN?
Also check the most updated documentation on the options for OpenSSL command line tools -- seems to me I saw some new options pop up for modifying the DN in some set of circumstances.
ray v wrote:
Yes, understood, but in this case someone will
send a
certificate request via e-mail, I will not be
involved
in making it. I will fill/sign that request and
send
it back. The request will come with the standard
information tucked away in the DN.
I need to add information to the DN, something I
have
been unable to do with out generating the request myself. According to the man info there are
extensions
and x509_extensions I've tried both and I'm a bit
more
confused now.
I tried using the -extfile option but I can not
insert
my own values into the DN. When I run openssl x509 -extfile I get "no" errors, the certificate is created. But upon viewing it the addition to the
DN
are not there.
I think that really I'm asking the wrong question. What I want to do is add information to a
certificate
when its generated. The nature of which is
internal
only. Is there a way to do this with out patching openssl's code?
If yes, what would be your suggestion?
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]>
wrote:
On Wed, Nov 10, 2004, ray v wrote:
I wish to add something like
1.3.6.1.4.1.9999.1 to the Distinguished name something like...
CN=Me,O=FOO,OU=Bar,1.3.6.1.4.1.9999.1=stuff
What's the best way to do this when you need to specify the -extfile option? Or is it really
necessary
to use the -extfile ?
Extfile is for certificate extensions. If you want to add DN components you need to add those to the appropriate section where they will be prompted for when a certificate request is made.
This is in the section req_distinguished_name in
the
standard openssl configuration file.
Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
______________________________________________________________________
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
-- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- +---------+---------+---------+---------+---------+---------+---------+ Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
