Re: non-string extensions in x509v3.

Thu, 10 May 2012 10:00:36 -0700 

On Thu, May 10, 2012, Dirk-Willem van Gulik wrote:

> Folks,
> 
> Struggling with x509v3 extensions from a programmatic interface. Found that 
> simply stuffing ascii strings into an extension works fine:
> 
>         int nid2 = OBJ_create("1.3.6.1.4.1.2692.99.2", "geoLon", 
> "Longitude(WGS84) of device calculating CSR");
>         ASN1_OBJECT* obj2 = OBJ_nid2obj(nid2);
> 
>         ASN1_OCTET_STRING* data2 = ASN1_OCTET_STRING_new();
>         ASN1_OCTET_STRING_set(data2, "-122.023828", -1);
>         
>         sk_X509_EXTENSION_push(exts, X509_EXTENSION_create_by_OBJ(NULL, obj2, 
> 0, data2));
> 
> And gives me nicely:
> 
>        368:d=6  hl=2 l=  24 cons:       SEQUENCE          
>        370:d=7  hl=2 l=   9 prim:        OBJECT            
> :1.3.6.1.4.1.2692.99.2
>        381:d=7  hl=2 l=  11 prim:        OCTET STRING      :-122.023828
> 
> The sort of output I'd expect. And easily process this in a CSR, get it 
> signed and all that.
> 
> But when I do the very same thing - but try to make that instead of an STRING 
> something like an INTEGER or a binary sequence (e.g. an Image); I am
> not seeing that picked up. 
> 
> E.g:
> 
>         int nid1 = OBJ_create("1.3.6.1.4.1.2692.99.1", "geoLat", 
> "Latitude(WGS84) of device calculating CSR");
>         ASN1_OBJECT* obj1 = OBJ_nid2obj(nid1);
>         
>         ASN1_INTEGER * data1 = ASN1_INTEGER_new();
>         ASN1_INTEGER_set(data1, 100);
>         
>         sk_X509_EXTENSION_push(exts, X509_EXTENSION_create_by_OBJ(NULL, obj1, 
> 0, data1));
> 
> I see this return also an OCTED STRING:
> 
>         352:d=6  hl=2 l=  14 cons:       SEQUENCE          
>         354:d=7  hl=2 l=   9 prim:        OBJECT            
> :1.3.6.1.4.1.2692.99.1
>        365:d=7  hl=2 l=   1 prim:        OCTET STRING      :d
> 
> Where am I going wrong ? Specifically I'd like to embed a very small image 
> (containing a hard to forge noise pattern) and a few arbitrary IEEE floating 
> point number in the CSR (i.e. in the part that gets signed by the pub-key of 
> the CSR requester).

Although the parser tolerates it you shouldn't place arbitrary data in an X509
extension, you should instead place the encoding of the extension.

So you'd use i2d_ASN1_OCTET_STRING or i2d_ASN1_INTEGER to generate the
encoding and use that as the content of the extension OCTET STRING.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to