Re: SMIME Capabilities encoding in openssl.cnf

Tue, 25 Aug 2009 14:49:08 -0700 

On Tue, Aug 25, 2009, Patrick Patterson wrote:

> Hello all:
> 
> I find myself needing to create some test certificates with SMIME 
> Capabilities 
> encoded in them. Now, the ASN.1 prototype for these are:
> 
> SMIMECapabilities ::= SEQUENCE OF SMIMECapability
> 
> SMIMECapability ::= SEQUENCE {
>          capabilityID OBJECT IDENTIFIER,
>          parameters ANY DEFINED BY capabilityID OPTIONAL }
> 
> To me, this means that, in an extensions section of openssl.cnf, I should be 
> able to do something like:
> 
> [my_cert_extensions]
> basicConstraints         = CA:FALSE
> keyUsage                    = critical, keyEncipherment, dataEncipherment
> SMIME-CAPS               = ASN1:SEQUENCE:smime_seq
> subjectKeyIdentifier    = hash
> authorityKeyIdentifier = keyid,issuer
> 
> [ smime_seq ]
> capabilityID.0 = OID:sha1
> capabilityID.1 = OID:sha256
> capabilityID.2 = OID:sha1WithRSA
> capabilityID.3 = OID:aes-256-ecb
> capabilityID.4 = OID:aes-256-cbc
> capabilityID.5 = OID:aes-256-ofb
> capabilityID.6 = OID:aes-128-ecb
> capabilityID.7 = OID:aes-128-cbc
> capabilityID.8 = OID:aes-128-ecb
> 
> 
> And it should work - my problem is that it is devilishly hard to verify and 
> see whether this is, in fact, correct. Not to mention there is a complete 
> lack 
> of any examples of functional certificates out there that I can find. That, 
> and there is a notable lack of client programs that will spit out the 
> contents 
> of this extension in any sort of form that is useful.
> 
> Can one of the OpenSSL gurus please let me know if I'm on the right path?
> 

Close but you missed the fact that each component is itself a SEQUENCE.

Most of the time the parameters will be absent so you can use the SEQWRAP
modifier in those cases.

S/MIME Capabilities is used in S/MIME messaages so you could use the cms
printing options to examine it and compare with your result.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to