RE: Adding a custom extension to a CSR
I will run a debugger, but this is how I freed: ASN1_OCTET_STRING_free(os1); ASN1_PRINTABLESTRING_free(tmp_os); ASN1_INTEGER_free(int1); X509_REQ_add_extensions(x, st_exts); -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47601.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
I used this , and it seems to work great (parsed it with ASN1): st_exts= sk_X509_EXTENSION_new_null(); X509_REQ *x; /*add INTEGER EXT*/ int1 = ASN1_INTEGER_new(); ASN1_INTEGER_set(int1, 1); os1 = M_ASN1_OCTET_STRING_new(); os1-data = NULL; n = i2d_ASN1_INTEGER(int1,os1-data); os1-length = n; sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj1, 0,os1)); /*add PRINTABLESTRING EXT*/ tmp_os = M_ASN1_PRINTABLESTRING_new(); tmp_os-type = V_ASN1_PRINTABLESTRING; ASN1_STRING_set(tmp_os, (const unsigned char *)TEST, 4 ); os2 = M_ASN1_OCTET_STRING_new(); os-data = NULL; n = i2d_ASN1_PRINTABLESTRING( tmp_os, os2-data ); os2-length = n; /* add to the extension stack.*/ sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj2, 0, os2)); /* Now we've created the extensions we add them to the request */ X509_REQ_add_extensions(x, st_exts); I freed all the ASN1 structs at the end... Did I add the extension the way you meant? Do I need to free anything else? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47560.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
From: owner-openssl-users On Behalf Of Danyk Sent: Wednesday, December 04, 2013 12:26 I used this , and it seems to work great (parsed it with ASN1): st_exts= sk_X509_EXTENSION_new_null(); X509_REQ *x; /*add INTEGER EXT*/ int1 = ASN1_INTEGER_new(); ASN1_INTEGER_set(int1, 1); os1 = M_ASN1_OCTET_STRING_new(); os1-data = NULL; n = i2d_ASN1_INTEGER(int1,os1-data); os1-length = n; That's clever. That uses the pointer and length in the OCTET_STRING object directly, instead of separate variables as I did. But it produces the same result, which is what matters. sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj1, 0,os1)); snip rest I freed all the ASN1 structs at the end... Did I add the extension the way you meant? Do I need to free anything else? Close enough. Assuming you freed with the ASN1_xxx_free routines (not direct OPENSSL_free) I think that should get everything, although personally I would run through a malloc debugger like valgrind and let it check. Computers are better at that than humans. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
Almost. If the actual value is not OCTET STRING, change the type created in the first two (or whatever) lines, and i2d'ed in the fourth line. And OPENSSL_free the pointer allocated here (d) after you're done with that memory. I need to add an INTEGER extensions and PRINTABLESTRING extension. I tried folowing your instructions, and used an exmple from this forum, but still get rubbish //1) create the integer and populate it: nid = OBJ_create( 1.3.6.1.4.1.12345, EndEntityType, EndEntityType); ASN1_OBJECT* obj = OBJ_nid2obj(nid); ASN1_INTEGER * int1 = ASN1_INTEGER_new(); ASN1_INTEGER_set(int1, 1); //2) figure out the length it would take when converted from internal into der/asn1 wire encoding: int n = i2d_ASN1_INTEGER(int1,NULL); //3) Ensure we have the needed space for that: ASN1_OCTET_STRING data1; data1.data = malloc(n); data1.length = n; //4) Fill out the ASN1 string by translating it again - this time into the buffer. unsigned char * p =M_ASN1_STRING_data(data1); i2d_ASN1_INTEGER(int1,p); //5) add to the extension stack. sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj, 0, data1)); what is wrong with this? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47537.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
From: owner-openssl-users On Behalf Of Danyk Sent: Tuesday, December 03, 2013 12:35 Almost. If the actual value is not OCTET STRING, change the type created in the first two (or whatever) lines, and i2d'ed in the fourth line. And OPENSSL_free the pointer allocated here (d) after you're done with that memory. I need to add an INTEGER extensions and PRINTABLESTRING extension. I tried folowing your instructions, and used an exmple from this forum, but still get rubbish //1) create the integer and populate it: nid = OBJ_create( 1.3.6.1.4.1.12345, EndEntityType, EndEntityType); ASN1_OBJECT* obj = OBJ_nid2obj(nid); ASN1_INTEGER * int1 = ASN1_INTEGER_new(); ASN1_INTEGER_set(int1, 1); //2) figure out the length it would take when converted from internal into der/asn1 wire encoding: int n = i2d_ASN1_INTEGER(int1,NULL); You don't *need* to precompute the length, allocate memory, and then use it. For about 10 years i2d_* will allocate for you, as you had in your 11/28 post. But if you want the harder way: //3) Ensure we have the needed space for that: ASN1_OCTET_STRING data1; data1.data = malloc(n); data1.length = n; That leaves .type and .flags uninitialized, and depending on your C implementation and the rest of your code probably garbage. It appears for this particular code you don't actually need those fields, but it's very imprudent to depend on that. Either set them explicitly, or at least fill (usually memset) the whole struct to 0 before using it so you don't get 'Heisenbugs'. And in real code you should check for malloc failure (returned null) before using it. //4) Fill out the ASN1 string by translating it again - this time into the buffer. unsigned char * p =M_ASN1_STRING_data(data1); i2d_ASN1_INTEGER(int1,p); It's confusing to set fields explicitly but use a macro to get one. You've already 'broken' the (weak) encapsulation, just use data1.data. Alternatively and arguably cleaner do something like: int len = i2d_type (value, NULL); unsigned char * buf = malloc (len), * ptr = buf; i2d_type (value, ptr); ASN1_OCTET_STRING * encoded = ASN1_OCTET_STRING_new (); ASN1_OCTET_STRING_set (encoded, buf, len); free (buf); // use encoded for the extension value or as above let i2d do allocation for you: unsigned char *buf = NULL; int len = i2d_type (value, buf); // set the OCTET_STRING as above OPENSSL_free (buf); //5) add to the extension stack. sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL, obj, 0, data1)); what is wrong with this? Except as above, nothing. (Assuming of course you then put st_exts in the req, but you showed that correct before.) Code almost equivalent to this works for me, with the only significant differences that I use the config file for the new OID (so the name is available at display) and I create EXTN by_NID instead of by _OBJ. (ISTR you had that also, but I'd have to go back and search for it.) What do you mean by rubbish? Post an asn1parse (or a PEM) and say what you think is wrong in it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
From: owner-openssl-users On Behalf Of Danyk Sent: Thursday, November 28, 2013 09:28 I rather not use the openssl config file, and stick with aPI's. is it really an octet string containing one ASCII character 5? no, it was just a simple example, the real values is are PRINTABLESTRING and INTEGER. Is that ehat you meant: ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set( os, ABC test, 8 ); unsigned char *d = NULL; int dlen = i2d_ASN1_OCTET_STRING( os, d ); ASN1_OCTET_STRING os2 = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set( os2, d, dlen ); Almost. If the actual value is not OCTET STRING, change the type created in the first two (or whatever) lines, and i2d'ed in the fourth line. And OPENSSL_free the pointer allocated here (d) after you're done with that memory. Cause I still gey rubbish... If you mean the display by 'req -text', or 'x509 -text' for a cert, those don't know how to format extensions not implemented by the openssl library, and by default uses a simple dump format. Try using req -reqopt which is not documented but functions the same as x509 -certopt which is. Or you can see the offset and DER (up to some limit IIRC) in hex for all extensions with asn1parse, and then decode a particular value with asn1parse -strparse (except IMPLICIT tags I guess). Is there an example of how to set such custom extension to CSR? You have the basic logic above (followed by EXT_create_by_NID/OBJ or equivalent, adding to a stackof X509_EXTENSION, and putting in the X509_REQ as you already had). Most of the complexity normally is in handling the value(s) in the value type, especially since more recent standard extensions tend to be structures with many fields, of different types, often OPTIONAL or CHOICE, sometimes nested. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
From: owner-openssl-users On Behalf Of redpath Sent: Friday, November 29, 2013 09:42 To: openssl-users@openssl.org Subject: *** Spam *** RE: Adding a custom extension to a CSR Sample abstract code, you should see this extension in your x509 when you use the openssl x509 -in mycsr -text You have to register an OID, I just picked one at random. os =ASN1_OCTET_STRING_new(); nid = OBJ_create(1.3.18.0.2.10.8, myalias, myaliasname); ASN1_OCTET_STRING_set(os, ABC test, 8); ret = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); X509_add_ext(x,ret,-1) This actually does a cert (X509) not a CSR (X509_REQ) as asked, but the difference is small, and the OP had that part right already. More importantly, this does not create an extension value that contains a DER encoding, as required by X.509 and RFC 5280. Some programs may not notice the error: openssl req -text and x509 -text don't by default, but ext_parse does; and some (many?) other programs won't even look at an unknown extension's value. But any program that actually wants this extension, which the OP is presumably accomodating, will probably be unable to use it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
Sample abstract code, you should see this extension in your x509 when you use the openssl x509 -in mycsr -text You have to register an OID, I just picked one at random. os =ASN1_OCTET_STRING_new(); nid = OBJ_create(1.3.18.0.2.10.8, myalias, myaliasname); ASN1_OCTET_STRING_set(os, ABC test, 8); ret = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); X509_add_ext(x,ret,-1) hope this helps. -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47514.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
I rather not use the openssl config file, and stick with aPI's. is it really an octet string containing one ASCII character 5? no, it was just a simple example, the real values is are PRINTABLESTRING and INTEGER. Is that ehat you meant: ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set( os, ABC test, 8 ); unsigned char *d = NULL; int dlen = i2d_ASN1_OCTET_STRING( os, d ); ASN1_OCTET_STRING os2 = ASN1_OCTET_STRING_new(); ASN1_OCTET_STRING_set( os2, d, dlen ); Cause I still gey rubbish... Is there an example of how to set such custom extension to CSR? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47501.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
I am not using the openssl commandline, I have to use the API's (the openssl.cng is not used/parsed when using API's, right?) Regarding the value in an extension is an OCTET STRING containing the DER of the value, not the value itself, so basicly do I need to convert the string to DER encoded? I tried : ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); unsigned char *d = 5; int dlen = i2d_ASN1_OCTET_STRING( os, d ); ASN1_OCTET_STRING_set( os, d, dlen ); extension = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); but I get rubbish (space between the OID and the value): 1.3.6.1.4.1.19718.1000.1.2.2: . 5 Am I using the correct API (i2d_ASN1_OCTET_STRING/ i2d_ASN1_INTEGER)? What am i missing? -- View this message in context: http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47466.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
From: owner-openssl-users On Behalf Of Danyk Sent: Tuesday, November 26, 2013 06:07 I am not using the openssl commandline, I have to use the API's (the openssl.cng is not used/parsed when using API's, right?) Mostly up to you. If you call the simple wrapper OPENSSL_config(), or the more detailed NCONF_ and CONF_ routines, it uses a config file, which you can select to be default openssl.cnf or another one. (There is also an option to automatically OPENSSL_config when you call OPENSSL_add_all_algorithms, which is rather a kludge. See CHANGES for 0.9.7.) Regarding the value in an extension is an OCTET STRING containing the DER of the value, not the value itself, so basicly do I need to convert the string to DER encoded? I tried : ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); unsigned char *d = 5; int dlen = i2d_ASN1_OCTET_STRING( os, d ); ASN1_OCTET_STRING_set( os, d, dlen ); extension = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); but I get rubbish (space between the OID and the value): 1.3.6.1.4.1.19718.1000.1.2.2: . 5 Am I using the correct API (i2d_ASN1_OCTET_STRING/ i2d_ASN1_INTEGER)? What am i missing? That's not valid C. You're overwriting a string literal (and with a useless value). On some C implementations you're lucky and that will crash. As it is you apparently got confusing garbage from nearby memory. You need to first get the value in its correct type -- is it really an octet string containing one ASCII character 5? That's not impossible, but character data in ASN.1 is usually represented in one of its several character string types; PrintableString and UTF-8 are IME the most common. If this extension is for interoperation with any other system(s), you need to agree the ASN.1 type(s) with them. If you're creating it for your own use, pick what you want -- but if it's for your own use including your own CA you could do at CA issue instead of in CSR. Then you must either get enough buffer space and i2d the value into it -- using a temporary pointer whose value you *don't* use subsequently -- or pass a pointer to an initially null pointer, which openssl will auto allocate and you must OPENSSL_free when done. If you want to manage yourself, you can call i2d with a null pointer (to pointer) to compute the space needed, allocate that, use it, and then free it when done. man i2d_X509 explains the basic API used by all i2d and d2i routines, along with X509 (cert) specifics you should ignore here. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
From: owner-openssl-users On Behalf Of Danyk Sent: Monday, November 25, 2013 07:26 Im trying to add a custom Extension to a CSR using openssl API's: I assume you know 'req' can be configured to create custom extensions (if a bit clumsily) but you have reasons for coding it yourself instead. struct stack_st_X509_EXTENSION *exts = NULL; X509_EXTENSION *ex; exts = sk_X509_EXTENSION_new_null(); ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new(); nid = OBJ_create(1.3.6.1.4.1.12345, End Entry Type, My End Entry Type); ASN1_OCTET_STRING_set(os,(unsigned char*)critical,5,strlen(critical,5)); Bad value, see below. ex = X509_EXTENSION_create_by_NID( NULL, nid, 0, os ); sk_X509_EXTENSION_push(exts, ex); X509_REQ_add_extensions(x, exts); When I parse the CSR I see that the extension displayed is actually the OID , and not the extension name: X509v3 extensions: 1.3.6.1.4.1.12345: critical,5 Am I adding the extension in the correct way? Should I change some setting in the openssl.cnf? How can insert the extension name :End Entry Type instaed of the OID 1.3.6.1.4.1.12345? You can't put the name in the actual CSR (or cert or CRL) extension. The extension uses the OID, that's how extensions work. You need the program that parses and display to map OID to name the same way your creator program did. If you are using commandline 'req' that, like all commandlines now but not before 1.0.0 IIRC, uses the 'modules' part of the config file which includes oid_section. Thus putting your OID(s) in the section named by oid_section (which in the distro version is [new_oids]) should work. For any other program, it may depend on the program. Having put your OID(s) in a config file, you could then use that config file in your program and not need to explicitly OBJ_create. You don't want the string critical,5 as the value. When you use a value like critical,whatever in a config file, openssl actually sets the critical flag and parses whatever for the value. It is the flag cert users should use, if your CSR extension ends up in a cert. Also, the value in an extension is an OCTET STRING containing the DER of the value, not the value itself. The openssl config routines do this for you, but if you're coding it yourself you need to do it yourself. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
