[openssl-users] 802.1AR certificate generation and the config file

Fri Aug 11 17:08:22 UTC 2017

Why thank you, Viktor.  Let's see if I can get this right from RFC4108

On 08/11/2017 12:47 PM, Viktor Dukhovni wrote:
> On Fri, Aug 11, 2017 at 03:29:25PM +0000, Salz, Rich via openssl-users wrote:
>
>> In the certificate extensions section you do something like:
>> 	subjectAltName = dns:www.example.com, IP:127.0.0.1
>> and so on.  The "pki.tgz"
>>
>>> And further it seems you are saying there is no support for HMN at all.
>> Right.
> >From the x509v3_config manpage:
>
>      ARBITRARY EXTENSIONS
>         If an extension is not supported by the OpenSSL code then it must be
>         encoded using the arbitrary extension format. It is also possible to
>         use the arbitrary format for supported extensions. Extreme care should
>         be taken to ensure that the data is formatted correctly for the given
>         extension type.
>
>         There are two ways to encode arbitrary extensions.
>
>         The first way is to use the word ASN1 followed by the extension content
>         using the same syntax as ASN1_generate_nconf(3).  For example:
>
>          1.2.3.4=critical,ASN1:UTF8String:Some random data
>
>          1.2.3.4=ASN1:SEQUENCE:seq_sect
>
>          [seq_sect]
>
>          field1 = UTF8:field1
>          field2 = UTF8:field2
>
>         It is also possible to use the word DER to include the raw encoded data
>         in any extension.
>
>          1.2.3.4=critical,DER:01:02:03:04
>          1.2.3.4=DER:01020304
>
>         The value following DER is a hex dump of the DER encoding of the
>         extension Any extension can be placed in this form to override the
>         default behaviour.  For example:
>
>          basicConstraints=critical,DER:00:01:02:03
>
       id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
         iso(1) identified-organization(3) dod(6) internet(1) security(5)
         mechanisms(5) pkix(7) on(8) 4 }

       HardwareModuleName ::= SEQUENCE {
         hwType OBJECT IDENTIFIER,
         hwSerialNum OCTET STRING }

    The fields of the HardwareModuleName type have the following
    meanings:

    hwType is an object identifier that identifies the type of hardware
       module.  A unique object identifier names a hardware model and
       revision.

    hwSerialNum is the serial number of the hardware module.  No
       particular structure is imposed on the serial number; it need not
       be an integer.  However, the combination of the hwType and
       hwSerialNum uniquely identifies the hardware module.

In my [ 8021ar_idevid ] section I would have a line:

1.3.6.1.5.5.7.8.4=ASN1:SEQUENCE:HardwareModuleName

then have:

[ HardwareModuleName ]
hwType= ??
hwSerialNum= ??

I would want the 'openssl req' command to prompt for hwType and 
hsSerialNum.  At least for now.