[openssl-users] Programmatically add extension dirName to SAN in CSR
yosi izaq
izaqyos at gmail.com
Wed May 6 08:19:34 UTC 2015
Hi,
I'm trying to add extension dirName to SAN in CSR programmatically.
I started with the example code, mkreq.c, as basis.
I then added some code for adding extension dirName to SAN.
"
X509V3_CTX CTX;
X509V3_set_ctx_nodb(&CTX);
X509V3_set_ctx(&CTX, 0, 0, x, 0, 0);
X509V3_EXT_conf_nid(NULL, CTX, NID_subject_alt_name,
"dirName:/C=UK/CN=OpenSSL Group"));
"
After initializing X509_REQ *x;
The CSR is created. With SAN containing email but w/o dirName. I also added
error prints and getting:
"
mkreq() add DirName extenion
Got error: error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing
value
error code: 570904700 in
/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line
433.
Got error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension
error code: 571048064 in
/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line
93.
error data: name=subjectAltName, value=digitalSignature,keyEncipherment
Got error: error:2208E094:X509 V3 routines:X509V3_get_section:operation not
defined
error code: 571007124 in
/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line
400.
Got error: error:22090096:X509 V3 routines:DO_DIRNAME:section not found
error code: 571015318 in
/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line
571.
error data: section=/C=UK/CN=OpenSSL Group
Got error: error:22075095:X509 V3 routines:v2i_GENERAL_NAME_ex:dirname
error
error code: 570904725 in
/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_alt.c line
495.
Got error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension
error code: 571048064 in
/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/x509v3/v3_conf.c line
93.
error data: name=subjectAltName, value=dirName:/C=UK/CN=OpenSSL Group
"
Reading the manual I understand I'm not supposed to dirName as simple type
value pair (like DNS,IP etc) but rather "point to a section containing the
distinguished name to use as a set of name value pairs" (quote manual).
My question is whether my understanding is correct and if so how to perform
that programmatically.
Would greatly appreciate help on the matter.
Thanks!
Yosi
For reference, skeleton of source code I'm testing:
nt main(int argc, char **argv)
{
BIO *bio_err;
X509_REQ *req=NULL;
EVP_PKEY *pkey=NULL;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
bio_err=BIO_new_fp(stderr, BIO_NOCLOSE);
//loadconf();
mkreq(&req,&pkey,512,0,365);
RSA_print_fp(stdout,pkey->pkey.rsa,0);
X509_REQ_print_fp(stdout,req);
PEM_write_X509_REQ(stdout,req);
X509_REQ_free(req);
EVP_PKEY_free(pkey);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
return(0);
}
int mkreq(X509_REQ **req, EVP_PKEY **pkeyp, int bits, int serial, int days)
{
printf("mkreq() called \n");
X509_REQ *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name=NULL;
STACK_OF(X509_EXTENSION) *exts = NULL;
if ((pk=EVP_PKEY_new()) == NULL)
goto err;
if ((x=X509_REQ_new()) == NULL)
goto err;
rsa=RSA_generate_key(bits,RSA_F4,callback,NULL);
if (!EVP_PKEY_assign_RSA(pk,rsa))
goto err;
rsa=NULL;
X509_REQ_set_pubkey(x,pk);
name=X509_REQ_get_subject_name(x);
/* This function creates and adds the entry, working out the
* correct string type and performing checks on its length.
* Normally we'd check the return value for errors...
*/
X509_NAME_add_entry_by_txt(name,"C",
MBSTRING_ASC, "UK", -1, -1, 0);
X509_NAME_add_entry_by_txt(name,"CN",
MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
#ifdef REQUEST_EXTENSIONS
/* Certificate requests can contain extensions, which can be used
* to indicate the extensions the requestor would like added to
* their certificate. CAs might ignore them however or even choke
* if they are present.
*/
/* For request extensions they are all packed in a single attribute.
* We save them in a STACK and add them all at once later...
*/
exts = sk_X509_EXTENSION_new_null();
/* Standard extenions */
printf("mkreq() add 1st extenion \n");
add_ext(NULL, exts, NID_key_usage,
"critical,digitalSignature,keyEncipherment");
/* This is a typical use for request extensions: requesting a value for
* subject alternative name.
*/
printf("mkreq() add email extenion \n");
add_ext(NULL, exts, NID_subject_alt_name, "email:steve at openssl.org");
X509V3_CTX CTX;
X509V3_set_ctx_nodb(&CTX);
X509V3_set_ctx(&CTX, 0, 0, x, 0, 0);
//add_ext(exts, NID_subject_alt_name,
"DirName:/C=DE/O=Novell/OU=Security/CN=DUS-LAB-NPS");
printf("mkreq() add DirName extenion \n");
//add_ext(exts, NID_subject_alt_name, "DirName:/CN=DUS-LAB-NPS");
add_ext(&CTX, exts, NID_subject_alt_name, "dirName:/C=UK/CN=OpenSSL Group");
printf("mkreq() added DirName extenion \n");
print_errors();
/* Some Netscape specific extensions */
add_ext(NULL, exts, NID_netscape_cert_type, "client,email");
#ifdef CUSTOM_EXT
/* Maybe even add our own extension based on existing */
{
int nid;
nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
add_ext(NULL, x, nid, "example comment alias");
}
#endif
/* Now we've created the extensions we add them to the request */
X509_REQ_add_extensions(x, exts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
#endif
if (!X509_REQ_sign(x,pk,EVP_sha1()))
goto err;
*req=x;
*pkeyp=pk;
return(1);
err:
return(0);
}
/* Add extension using V3 code: we can set the config file as NULL
* because we wont reference any other sections.v3_alt.c
*/
int add_ext(X509V3_CTX * CTX, STACK_OF(X509_EXTENSION) *sk, int nid, char
*value)
{
X509_EXTENSION *ex;
//ex = X509V3_EXT_conf_nid(NULL, CTX, nid, value);
char *name = "subjectAltName";
ex = X509V3_EXT_conf(NULL, CTX, name, value);
if (!ex)
return 0;
sk_X509_EXTENSION_push(sk, ex);
return 1;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150506/9d3a333f/attachment-0001.html>
More information about the openssl-users
mailing list