Re: Question about custom X509 extensions
Thank you both for your helpful comments, I used i2d_ASN1_OCTET_STRING now before including the data into the certificate. Is there any way to tell the OpenSSL x509 command line tool to display these in a hex representation so they are human readable when we'd like to inspect a certificate? Cheers, Chris On 06/08/2010 02:06 PM, Dr. Stephen Henson wrote: > On Tue, Jun 08, 2010, Bruce Stephens wrote: > > >> decoder writes: >> >> [...] >> >> >>> Ok, so what I am currently doing is something like >>> >>> asndata = ASN1_OCTET_STRING_new(); >>> ASN1_OCTET_STRING_set(asndata, myData, myLength); >>> >>> and then I add asndata to an extension I create: >>> >>> ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, asndata ); >>> >>> >>> In the one case, myData was the hex encoded data, in the other case it >>> was my raw binary data. >>> >>> Is the DER encoding included here and if not, how can I add it for the >>> raw data? >>> >> I think it's not. OpenSSL seems fine with the result, though, so >> perhaps you'll be OK. >> >> > OpenSSL is fine with including raw data in an extension but it is technically > illegal so added an encoded OCTET STRING in there is advisable. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org > smime.p7s Description: S/MIME Cryptographic Signature
Re: Question about custom X509 extensions
On Tue, Jun 08, 2010, Bruce Stephens wrote: > decoder writes: > > [...] > > > Ok, so what I am currently doing is something like > > > > asndata = ASN1_OCTET_STRING_new(); > > ASN1_OCTET_STRING_set(asndata, myData, myLength); > > > > and then I add asndata to an extension I create: > > > > ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, asndata ); > > > > > > In the one case, myData was the hex encoded data, in the other case it > > was my raw binary data. > > > > Is the DER encoding included here and if not, how can I add it for the > > raw data? > > I think it's not. OpenSSL seems fine with the result, though, so > perhaps you'll be OK. > OpenSSL is fine with including raw data in an extension but it is technically illegal so added an encoded OCTET STRING in there is advisable. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about custom X509 extensions
decoder writes: [...] > Ok, so what I am currently doing is something like > > asndata = ASN1_OCTET_STRING_new(); > ASN1_OCTET_STRING_set(asndata, myData, myLength); > > and then I add asndata to an extension I create: > > ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, asndata ); > > > In the one case, myData was the hex encoded data, in the other case it > was my raw binary data. > > Is the DER encoding included here and if not, how can I add it for the > raw data? I think it's not. OpenSSL seems fine with the result, though, so perhaps you'll be OK. If you want to add in the extra layer, encode asndata using i2d_OCTET_STRING() then put the result of *that* into an ASN1_OCTET_STRING and pass the resulting ASN1_OCTET_STRING into X509_EXTENSION_create_by_NID(). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about custom X509 extensions
Hi, > Hex encoding surely ought to increase the size by a factor of exactly 2? > (Plus a few bytes for the tag and length.) > 2 is correct without the colon but the OpenSSL function I use adds them. Of course you are right, it would be possible with 2 :) > An extension has an OID, a criticality flag, and a value. The value is > an OCTET STRING containing the DER encoding of some ASN.1 type (defined > by the extension). For a private extension you can stick any type in > there you choose. An obvious choice for a binary blob is OCTET STRING. > > (It's probably not safe to stick any binary blob directly in the > extnValue OCTET STRING, since processors (like OpenSSL) probably assume > they can decode the value as DER even if they can't do much with it.) > Ok, so what I am currently doing is something like asndata = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set(asndata, myData, myLength); and then I add asndata to an extension I create: ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, asndata ); In the one case, myData was the hex encoded data, in the other case it was my raw binary data. Is the DER encoding included here and if not, how can I add it for the raw data? Thank you very much, Chris smime.p7s Description: S/MIME Cryptographic Signature
Re: Question about custom X509 extensions
decoder writes: [...] > Now the problem is that I am almost hitting the maximum size of the > certificate (the practical limit seems to be around 15-16 kb) and I'd > like to know if hex encoding is really necessary or if I can simply > include the data directly without violating any standards (as the hex > encoding bloats the data by a factor of ~3). Hex encoding surely ought to increase the size by a factor of exactly 2? (Plus a few bytes for the tag and length.) An extension has an OID, a criticality flag, and a value. The value is an OCTET STRING containing the DER encoding of some ASN.1 type (defined by the extension). For a private extension you can stick any type in there you choose. An obvious choice for a binary blob is OCTET STRING. (It's probably not safe to stick any binary blob directly in the extnValue OCTET STRING, since processors (like OpenSSL) probably assume they can decode the value as DER even if they can't do much with it.) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Question about custom X509 extensions
Hello, I am currently developing an application that stores custom data in the X509 client certificate. Some of this data is binary and I managed to store it in a custom extension. Initially, I encoded this data using i2s_ASN1_OCTET_STRING() to obtain a hex encoded version. When viewing the certificate, everything is fine. Later on I found out, that it is even possible to include the binary data directly without hex encoding (and the openssl x509 command line tool simply prints non-printable characters as '.'). Now the problem is that I am almost hitting the maximum size of the certificate (the practical limit seems to be around 15-16 kb) and I'd like to know if hex encoding is really necessary or if I can simply include the data directly without violating any standards (as the hex encoding bloats the data by a factor of ~3). Thanks in advance and best regards, Chris smime.p7s Description: S/MIME Cryptographic Signature