On Fri, Mar 24, 2006, Saurabh Arora wrote:
> hi
>
> problem:
> -------------
> - I want to add custom attributes in the standard x509 extensions, without
> patching the source code.
> - I want to add new extension along with standard x509 extension, without
> patching the source code.
> say, adding an attribute :
>
> attribute ::= SEQUENCE {
> type attributetype ,
> values SET OF AttributeValue }
>
> AttributeType ::= OBJECT IDENTIFIER
> AttributeValue ::= ANY
>
> to the standard extension say, SubjectDirectoryAttribute
>
> --------------
> now i have attempted following things :
> since 0.9.8 , asn1 mini compiler works, hence punched sum lines in format of
> asn1_generate_nconf function
> openssl.cnf:
> --------------------
> #(very begining)
> openssl_conf=init_section
>
> #(under certificate extensions )
> [ certificate_extensions ]
> # These extensions are added when 'ca' signs a request.
> # This goes against PKIX guidelines but some CAs do it and some software
> # requires this to avoid interpreting an end user certificate as a CA.
> basicConstraints=CA:FALSE
>
> customExtension=ASN1:SEQUENCE:seq ----> custom code
>
>
> #(at the very end)
> [seq]
> flag = BOOLEAN:TRUE
>
> [init_section]
> oid_section = asn1_oids
>
> [asn1_oids]
> customExtension=1.22.33.4.55.66.777
> ---------------------
>
> now at the time when ca signs the csr , the followin output is generated in
> extensions part:
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> customExtension: ------------> custom extension
> 0....
> X509v3 Key Usage:
>
>
> but when after succesfully signin the csr, wen i run the command to see it
> again :
> - openssl x509 -in testcert.cert -text
> i get the following output in the extensions part :
>
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> 1.22.33.4.55.66.777: --------> custom OID of customExtension
> 0....
> X509v3 Key Usage:
>
>
> why?? why Dr. henson ??
> why the name is converted back to OID ?
The "name" isn't stored in the certificate. The OID is stored there. It is
OpenSSL that translates the OID into the name.
So what you should be asking is why the OID isn't displayed as the name. If
the "x509" utility isn't picking up the new OID definition from the config
file (perhaps the 'req' utility used a custom config file?) then that's one
possible reason...
> is there a way to see the complete extension, which ideally should look like
> :
> customExtension:
> flag:FALSE
>
No. The reason for that is that the extension code for supported extensions
knows that a certain field is called "flag". For unknown arbitrary extensions
it has no idea what a fields name is or how to display it.
You can however produce a friendlier output using the -certopt ext_parse
option. That will run unknown extensions through OpenSSLs generic ASN1
printing routines.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
