Re: non-string extensions in x509v3.

[Dirk-Willem van Gulik]

On 10 mei 2012, at 18:59, "Dr. Stephen Henson" <st...@openssl.org> wrote:

> On Thu, May 10, 2012, Dirk-Willem van Gulik wrote:
> 
>>        int nid1 = OBJ_create("1.3.6.1.4.1.2692.99.1", "geoLat", 
>> "Latitude(WGS84) of device calculating CSR");
>>        ASN1_OBJECT* obj1 = OBJ_nid2obj(nid1);
>> 
>>        ASN1_INTEGER * data1 = ASN1_INTEGER_new();
>>        ASN1_INTEGER_set(data1, 100);
>> 
>>        sk_X509_EXTENSION_push(exts, X509_EXTENSION_create_by_OBJ(NULL, obj1, 
>> 0, data1));
>> 
>> I see this return also an OCTED STRING:
>> 
>>        352:d=6  hl=2 l=  14 cons:       SEQUENCE          
>>        354:d=7  hl=2 l=   9 prim:        OBJECT            
>> :1.3.6.1.4.1.2692.99.1
>>       365:d=7  hl=2 l=   1 prim:        OCTET STRING      :d
>> 
>> Where am I going wrong ? Specifically I'd like to embed a very small image 
>> (containing a hard to forge noise pattern) and a few arbitrary IEEE floating 
>> point number in the CSR (i.e. in the part that gets signed by the pub-key of 
>> the CSR requester).
> 
> Although the parser tolerates it you shouldn't place arbitrary data in an X509
> extension, you should instead place the encoding of the extension.
> 
> So you'd use i2d_ASN1_OCTET_STRING or i2d_ASN1_INTEGER to generate the
> encoding and use that as the content of the extension OCTET STRING.

Thanks - but I think I am being a bit dim. If I understand it right - you mean 
the following:

1) create the integer and populate it:

        ASN1_INTEGER * int1 = ASN1_INTEGER_new();
        ASN1_INTEGER_set(int1, 100);

2) figure out the length it would take when converted from internal into 
der/asn1 wire encoding:

        int n =  i2d_ASN1_INTEGER(int1,NULL);

 3) Ensure we have the needed space for that:

        ASN1_OCTET_STRING data1;
        data1.data = malloc(n);
        data1.length = n;
        
 4) Fill out the ASN1 string by translating it again - this time into the 
buffer.

        unsigned char *  p =M_ASN1_STRING_data(&data1);
        i2d_ASN1_INTEGER(int1,&p);

5) add to the extension stack.

        sk_X509_EXTENSION_push(exts, X509_EXTENSION_create_by_OBJ(NULL, obj1, 
0, &data1));

Nets me 

          365:d=7  hl=2 l=   3 prim: OCTET STRING      [HEX DUMP]:020164

which looks close (02 type == integer, 01 length, number 100) -- but is 
obviously not right as it is seen as an octed string still.

Where am I going wrong this time ?! :)

Dw.______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org