On Mon, 10 Mar 2014 08:59:55 -0700, Donald J. <[email protected]> wrote:
>Could someone who is using z/OS PKI Services for z/OS post a sample
>certificate containing an arbitrary extension for HostIdMapping, or an
Would some VBscript help? Did this a loong time ago and I'm not sure it's
totally clean, but I did use it.
'
' hostIdMappings - Build hostIdMappings certificate extension for the entities
passed as arguments
'
' usage: cscript hostIdMappings.vbs //NOLOGO userA@hostname1 [
userB@hostname2 [...] ] >tempfile.txt
' if %ERRORLEVEL% LSS 1 certutil.exe -setextension <request-id>
1.3.18.0.2.18.1 @tempfile.txt
'
' The extension we are building is described by:
'
' id-ce-hostIdMappings OBJECT IDENTIFIER::= {1 3 18 0 2 18 1}
'
' HostIdMappings::= SET OF HostIdMapping
'
' HostIdMapping::= SEQUENCE{
' hostName IMPLICIT[1] IA5String,
' subjectId IMPLICIT[2] IA5String,
' proofOfIdPossession IdProof OPTIONAL
' }
' IdProof::= SEQUENCE{
' secret OCTET STRING,
' encryptionAlgorithm OBJECT IDENTIFIER
' }
'
' Note: the proofOfIdPossession is not implemented here.
'
' References: z/OS Security Server RACF Callable Services (IBM Doc SA22-7691)
' Advanced Certificate Enrollment and Management (Microsoft TechNet)
'
Set oArgs = WScript.Arguments
if (oArgs.count < 1) then
usage()
end if
if (oArgs(0) = "-?") or (oArgs(0) = "-h") then
usage()
end if
for i = 0 to oArgs.count - 1
if Instr(oArgs(i), "@") = 0 then
usage()
end if
if Len(oArgs(i)) > 100 then
usage()
end if
next
' build extension as a SET of SEQUECEs of subjectID/hostName pairs
hostIdMappings = ""
for i = 0 to oArgs.count - 1
at = InstrRev(oArgs(i), "@")
subjectId = Left(oArgs(i), at-1)
hostName = Right(oArgs(i), Len(oArgs(i)) - at)
' WScript.echo "hostName: " & hostName & chr(13) & _
' "subjectId: " & subjectId
' IMPLICIT(1) + LENGTH + DATA
asn1HostName = Chr(129) & Chr(Len(hostName)) & hostName
' IMPLICIT(2) + LENGTH + DATA
asn1SubjectId = Chr(130) & Chr(Len(subjectId)) & subjectId
hostIdMapping = asn1HostName & asn1SubjectId
' SEQUENCE + LENGTH + DATA
asn1HostIdMapping = Chr(48) & Chr(Len(hostIdMapping)) & hostIdMapping
hostIdMappings = hostIdMappings & asn1HostIdMapping
next
' SET + LENGTH + DATA
' note: total length limited to 32K here
if Len(hostIdMappings) > 127 then
asn1HostIdMappings = Chr(49) & Chr(130) & Chr(Len(hostIdMappings) / 256) &
Chr(Len(hostIdMappings) Mod 256) & hostIdMappings
else
asn1HostIdMappings = Chr(49) & Chr(Len(hostIdMappings)) & hostIdMappings
end if
' convert to hex for certutil
hexHostIdMappings = ""
for i = 1 to Len(asn1HostIdMappings)
hexHostIdMappings = hexHostIdMappings & Right("0" &
Hex(Asc(Mid(asn1HostIdMappings, i, 1))), 2) & " "
next
WScript.echo hexHostIdMappings
' - - - - - '
Function usage
WScript.Echo "Usage: cscript hostIdMappings.vbs hostIdMap1 [hostIdMap2 [...]]"
WScript.Echo " hostIdMaps are in the format userid@hostname and limited
to 100 characters"
WScript.Quit 1
end Function
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
