[openssl-users] OpenSSL LogoType extension ASN1 encoding

Valentin Bud valentin.bud at gmail.com
Sun Jan 18 10:13:08 UTC 2015 

Hello everyone,

I am trying to add the logotype extension to certificates under
a private CA I am taking care of. The CA is built using OpenVPN's
Easy-RSA 3 tool, though I think that doesn't matter in this
situation.

I have some questions regarding this matter. Before digging into
details I will tell you the problem I want to solve. I have multiple
different logos.

Searching the Internet I have found an E-Mail from November 2010 [1].
Based on that information I have reached to the following snippet
of configuration:

cat ./exts

# Logos
1.3.6.1.5.5.7.1.12              = ASN1:SEQUENCE:logotype_ext

[logotype_ext]
issuerLogo=EXPLICIT:1,IMPLICIT:1,SEQUENCE:logotype_indirect

[logotype_indirect]
refStructHash=SEQWRAP,SEQUENCE:HashAlgAndValue
refStructURI=SEQWRAP,SEQUENCE:IA5String:http://logos.example.org/logo0.png

[HashAlgAndValue]
hashAlg=SEQUENCE:logo_algid
hashValue=FORMAT:HEX,OCTETSTRING:9c2c672338e1a6615ccfa78097c0ed8681e3335d

[logo_algid]
capabilityID = OID:sha1
parameter = NULL

I receive the following error when I try to issue a certificate using
openssl.
The same when I use the easyrsa wrapper script.

$ openssl ca -in 10.req -out 10.crt -config openssl-1.0.cnf -extfile exts
-days 3650 -batch

Using configuration from openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
organizationName      :ASN.1 12:'10'
organizationalUnitName:ASN.1 12:'Cortex AG Trust Network'
organizationalUnitName:ASN.1 12:'(c) Cortex AG - For authorized use only!'
commonName            :ASN.1 12:'Cortex AG Root Certification Authority'
ERROR: adding extensions in section default
6987:error:22074074:X509 V3 routines:V3_GENERIC_EXTENSION:extension value
error:/SourceCache/OpenSSL098/OpenSSL098-52/src/crypto/x509v3/v3_conf.c:282:value=SEQUENCE:logotype_ext

I have tried changing SEQWRAP with SEQUENCE and also variations I have
found in [1]. None of them worked.

Can someone please tell me what am I doing wrong. Also I have a couple of
logos I want to add to the certificate. How would I encode that in
openssl.cnf?

[1]: http://openssl.6102.n7.nabble.com/Logotype-encoding-td15882.html

Thank you,
Valentin Bud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150118/aa2c1feb/attachment-0001.html>

More information about the openssl-users mailing list