Ok I can get x509 to accept the extension now,
something like this
extensions = extend
[extend]
#basicConstraints = critical,CA:true
1.3.6.1.4.1.9999.1002 =
DER:06:09:2B:06:01:04:01:D6:1F:87:6A
openssl x509 -in test.crt -text -noout
X509v3 extensions:
1.3.6.1.4.1.9999.1002:
..+.......j
This would be acceptable if I could figure out how to
make 1.3.6.1.4.1.9999.1002 = va1=48837774. Give what
I've heard and seen so far I don't think what I want
to do will work.
I'm going back over the documentation again to see
what I what I'm missing. Maybe someone can explain why
I should expect this to work with out patching
openssl?
BTW I found this tool which might be useful to the
openssl user community....
http://www.rtner.de/software/oid.html
Thanks to the authors of the above code!
Peter Gutman
Matthias Gärtner
Thank you all!
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Thu, Nov 11, 2004, Charles Cranston wrote:
>
> > First of all let me apologize for the red herring
> of
> > suggesting using command line options. I keep re-
> > running into the "man req" section on "-subj"
> while
> > forgetting that without the private key this is
> not
> > useful for changing the subject name in a CSR.
> >
> > If you haven't already stumbled onto this you
> might
> > want to take a look at the file "openssl.txt" in
> > the directory "doc" in the OpenSSL source
> distribution.
> > Let me quote a section that is not too far from
> the top:
> >
> > The syntax of raw extensions is governed by the
> extension code: it can
> > for example contain data in multiple sections.
> The correct syntax to
> > use is defined by the extension code itself:
> check out the certificate
> > policies extension for an example.
> >
> > In addition it is also possible to use the word
> DER
> > to include arbitrary data in any extension.
> >
> > 1.2.3.4=critical,DER:01:02:03:04
> > 1.2.3.4=DER:01020304
> >
> > The value following DER is a hex dump of the DER
> > encoding of the extension. Any extension can be
> placed
> > in this form to override the default behaviour.
> > For example:
> >
> > basicConstraints=critical,DER:00:01:02:03
> >
> > WARNING: DER should be used with caution. It is
> possible
> > to create totally invalid extensions unless care
> is taken.
> >
> > WARNING: I HAVE NEVER TRIED THIS SO I CANNOT SWEAR
> THAT IT WILL
> > SUCCEED! But the clear implication is that if you
> have registered
> > the extension object ID you can cause arbitrary
> bytes to be placed
> > in the extension. In the above 1.2.3.4 would be
> the object ID of
> > the extension, while 00,01,02 etc are the data.
> >
> > Clearly this is somewhat more painful even than
> Assembly
> > Language, but it's what I had to do on my homemade
> computer
> > that had 512 bytes of memory. An alternative
> would be to
> > write code to take a saner format for the data you
> want to
> > put into the extensions, but at least this is an
> approach
> > that does not require change to the source code.
> >
> > If you do decide to write code to process your
> extension,
> > the documentation at the bottom of that file
> should be useful.
> > It is titled "X509V3 Extension code: programmers
> guide".
> >
> > If there is some showstopper here that I haven't
> seen,
> > please post so I haven't sent ray down yet another
> blind
> > alley...
> >
>
> Well technically the stuff you put with DER
> shouldn't be arbitrary data. It
> should be a well formatted DER structure. Some
> applications (not based on
> OpenSSL) will reject an extensions (and possibly the
> whole certificate) if the
> contents are not well formed.
>
> You can use OpenSSL 0.9.8 to do the encoding for you
> with its mini-ASN1
> compiler. Then when its produced the right encoding
> it can be place into the
> DER option for earlier versions.
>
> You can also hand code it. Again this isn't as
> horrible as it sounds. To
> take a simple case the ASN1 OCTET STRING of length
> up to 127 bytes is formed
> like this:
>
> 0x04, len, (content).
>
> So the bytes 1, 2, 3, 4 would be:
>
> 1.2.3.4=DER:04:04:01:02:03:04
>
> That will put this into a certificate extension.
> Whether this is of any use
> depends on what the OP wants to do with the data
> when its there...
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
> [EMAIL PROTECTED]
>
__________________________________
Do you Yahoo!?
Check out the new Yahoo! Front Page.
www.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
