EldoS | Feel safer!

Software components for data protection, secure storage and transfer

I need to add Directory Name extension in PKCS#10 request

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#34922
Posted: 10/30/2015 15:18:21
by ivan cursos (Basic support level)
Joined: 10/19/2015
Posts: 5

Hello.

I need to do a request PKSC#10 using PKSC#11
I need to add in that request a Directory Name extension, Im doing it as shown below this lines.
When i retrieve a dump from that request, i see coded as
"SERIALNUMBER=#323030303030303030303030" not an expected value "200000000000"

Whats its wrong ?


----Dump Request PKSC#10 --------

Attribute[0]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[0][0]:
Unknown Attribute type
Certificate Extensions: 1
2.5.29.17: Flags = 0, Length = 4b
Subject Alternative Name
RFC822 Name=mail@mail.com
Directory Address:
T=#70726F6772
SERIALNUMBER=#323030303030303030303030
CN=#61736466
-- Source code ---

Code
TElCertificateRequest certificateRequest = new TElCertificateRequest();
certificateRequest.SetKeyMaterial(KM);
certificateRequest.PreserveKeyMaterial = true;
certificateRequest.Subject.Count = 3;
....
  
certificateRequest.Extensions.Included = certificateRequest.Extensions.Included | SBX509Ext.Unit.ceSubjectAlternativeName | SBX509Ext.Unit.ceSubjectDirectoryAttributes;
            
int i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnRFC822Name;
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).RFC822Name = "mail@mail.com";

i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnDirectoryName;
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.Count = 3;
                        
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(0, SBStrUtils.__Global.StrToUTF8("Name"));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(0, SBConstants.Unit.SB_CERT_OID_COMMON_NAME);

certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(1, SBStrUtils.__Global.StrToUTF8("200000000000"));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(1, SBConstants.Unit.SB_CERT_OID_SERIAL_NUMBER);

certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(2, SBStrUtils.__Global.StrToUTF8("Title"));  
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(2, SBConstants.Unit.SB_CERT_OID_TITLE);


Thank you.
#34923
Posted: 10/30/2015 15:26:27
by Eugene Mayevski (EldoS Corp.)

Serial numbers in PKI are not digits (neither they are text) but long (very long) integers. If you set the serial number to "0A" (for example") you will have not one byte with the value of decimal 10 (or 0x0A), but two bytes, where the first byte is 0x30 and the second is 0x41 .

On a side note it would help a lot if you used CODE button located above the text entry box (alternatively you can write [ CODE ] and [ /CODE ] tags by hand) to mark the beginning and the end of the code blocks in your messages. This would enable syntax highlighting and line numbering on the code and make it easier for analysis.


Sincerely yours
Eugene Mayevski
#34926
Posted: 11/02/2015 09:02:19
by ivan cursos (Basic support level)
Joined: 10/19/2015
Posts: 5

Im using C# cryptoapi making a request with the seccion code below

Code
CX509ExtensionKeyUsage objX509ExtensionKeyUsage = new CX509ExtensionKeyUsage();
CX509ExtensionEnhancedKeyUsage objX509ExtensionEnhancedKeyUsage = new CX509ExtensionEnhancedKeyUsage();
CX509ExtensionTemplateName objExtensionTemplate = new CX509ExtensionTemplateName();
CX500DistinguishedName objDn = new CX500DistinguishedName();
CX509Enrollment XEnroll = new CX509Enrollment();

string strDirectoryName = "CN=\"Juan Lopez\";SN=\"20000000001\";T=\"ABOGADO\"";

CX500DistinguishedName objX500 = new CX500DistinguishedName();
string strDirectory = null;
CAlternativeName objDirectoryName = new CAlternativeName();
CAlternativeNames objAlternativeNames = new CAlternativeNames();
CX509ExtensionAlternativeNames objExtensionAlternativeNames = new CX509ExtensionAlternativeNames();

getting a pkcs10 request where i see directory name values:

CN=Juan Lopez, SN="20000000001" y T=ABOGADO


Attribute[3]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[3][0]:
Unknown Attribute type
Certificate Extensions: 5
2.5.29.17: Flags = 0, Length = 5b
Subject Alternative Name
Directory Address:
CN=Juan Lopez
SN="20000000001"
T=ABOGADO
RFC822 Name=juan@yahoo.com.ar


but when i try to do the same thing using yours framework i follow steps indicated below and get that answer as result

T=#41626F6761646F, SERIALNUMBER=#323030303030303030303030, CN=#4A75616E204C6F70657A


what i am doing wrong?


----Dump Request--------

Attribute[0]: 1.2.840.113549.1.9.14 (Certificate Extensions)
Value[0][0]:
Unknown Attribute type
Certificate Extensions: 1
2.5.29.17: Flags = 0, Length = 53
Subject Alternative Name
RFC822 Name=mail@mail.com
Directory Address:
T=#41626F6761646F
SERIALNUMBER=#323030303030303030303030
CN=#4A75616E204C6F70657A

Code

TElCertificateRequest certificateRequest = new TElCertificateRequest();
certificateRequest.SetKeyMaterial(KM);
certificateRequest.PreserveKeyMaterial = true;
certificateRequest.Subject.Count = 3;

....

certificateRequest.Extensions.Included = certificateRequest.Extensions.Included | SBX509Ext.Unit.ceSubjectAlternativeName | SBX509Ext.Unit.ceSubjectDirectoryAttributes;
            
int i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnRFC822Name;
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).RFC822Name = "mail@mail.com";

i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnDirectoryName;
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.Count = 3;
            
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(0, SBStrUtils.__Global.StrToUTF8("Juan Lopez"));
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(0, SBConstants.Unit.SB_CERT_OID_COMMON_NAME);
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(1, SBStrUtils.__Global.StrToUTF8("200000000000"));
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(1, SBConstants.Unit.SB_CERT_OID_SERIAL_NUMBER);
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(2, SBStrUtils.__Global.StrToUTF8("Abogado"));  
            certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(2, SBConstants.Unit.SB_CERT_OID_TITLE);
#34927
Posted: 11/02/2015 09:50:34
by Eugene Mayevski (EldoS Corp.)

There exist two problems here:

1) serial number. As I described above, what you have is a long decimal number, 200000000000 . You are trying to treat it as a string, but this is not a string.
Instead of calling StrToUTF8 you need to call
Code
SBXMLUtils.Unit.ConvertBigIntToBinary("20000000001", false);


2) Common name. Besides setting the value, you also need to set a type of the entry in the directory name. The code would look like

Code
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(0, SBConstants.Unit.SB_CERT_OID_COMMON_NAME);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(0, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(0, SBStrUtils.__Global.StrToUTF8("Juan Lopez"));


It would be nice if you could test the above code and let us know the outcome.


Sincerely yours
Eugene Mayevski
#34928
Posted: 11/02/2015 10:38:38
by ivan cursos (Basic support level)
Joined: 10/19/2015
Posts: 5

Excellent . Add to this line and it worked .

Code
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(0, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);


Thank you.
Ivan.
Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.

Reply

Statistics

Topic viewed 3297 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!