EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Add QCStatements extension in the request

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#35412
Posted: 01/06/2016 15:08:26
by Desarrollo Alpha (Standard support level)
Joined: 11/30/2015
Posts: 15

Hello

I need to add the QCStatements extension in the request, I get the following error

"Certificate not issued (Denied) Error Parsing Request The parameter is incorrect."

I'm using TElCertificateRequest object.


certificateRequest.Extensions.Included = certificateRequest.Extensions.Included |
SBX509Ext.Unit.ceSubjectAlternativeName |
SBX509Ext.Unit.ceSubjectDirectoryAttributes;

int i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnRFC822Name;
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).RFC822Name = suscriptor.Email;
....

byte[] boid = SBStrUtils.Unit.StrToOID("1.3.6.1.5.5.7.1.3");

certificateRequest.Extensions.OtherCount = 1;

TElCustomExtension ce = certificateRequest.Extensions.get_OtherExtensions(0);

ce.OID = boid;

byte[] value = {0x30, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0b, 0x02, 0x30, 0x08, 0x06, 0x06, 0x60, 0x20, 0x01, 0x0a, 0x02, 0x02 };

ce.Value = value;



this "{0x30, ..., 0x02 }" is the hexa of this ASN1

SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER 1.3.6.1.5.5.7.11.2
SEQUENCE {
OBJECTIDENTIFIER 2.16.32.1.10.2.2
}
}
}
#35414
Posted: 01/06/2016 16:06:34
by Ken Ivanov (EldoS Corp.)

Hi,

Your code looks pretty correct to me, so the extension should be added as expected. Would it be possible for you to send a sample request generated by this code to us for checking? You can do that securely and privately via Helpdesk.

Looking from a different point of view, what makes you think that the problem is somehow related to the QCStatements extension?

Ken
#35423
Posted: 01/07/2016 09:41:58
by Desarrollo Alpha (Standard support level)
Joined: 11/30/2015
Posts: 15

I Build the request without the QCStatement With code below.
I obtained and sending the request to the CA and generates the certificate.

Code

TElCertificateRequest certificateRequest = new TElCertificateRequest();

certificateRequest.SetKeyMaterial(KM);
certificateRequest.PreserveKeyMaterial = true;
certificateRequest.Subject.Count = 3;

certificateRequest.Subject.set_Values(0, Encoding.Default.GetBytes(suscriptor.Pais));
certificateRequest.Subject.set_OIDs(0, SBConstants.Unit.SB_CERT_OID_COUNTRY);

certificateRequest.Subject.set_Values(1, Encoding.Default.GetBytes(suscriptor.CN));
certificateRequest.Subject.set_OIDs(1, SBConstants.Unit.SB_CERT_OID_COMMON_NAME);

certificateRequest.Subject.set_Values(2, Encoding.Default.GetBytes(suscriptor.Cuit.ToString()));
certificateRequest.Subject.set_OIDs(2, SBConstants.Unit.SB_CERT_OID_SERIAL_NUMBER);

certificateRequest.Extensions.Included = certificateRequest.Extensions.Included |
                SBX509Ext.Unit.ceSubjectAlternativeName |
                SBX509Ext.Unit.ceSubjectDirectoryAttributes;


int i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnRFC822Name;
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).RFC822Name = suscriptor.Email;

i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnDirectoryName;
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.Count = 3;

certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(0, SBStrUtils.__Global.StrToUTF8(suscriptor.CN));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(0, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(0, SBConstants.Unit.SB_CERT_OID_COMMON_NAME);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(1, SBStrUtils.__Global.StrToUTF8("CUIT=" + suscriptor.Cuit.ToString()));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(1, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(1, SBConstants.Unit.SB_CERT_OID_SERIAL_NUMBER);


certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(2, SBStrUtils.__Global.StrToUTF8(suscriptor.Titulo));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(2, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(2, SBConstants.Unit.SB_CERT_OID_TITLE);

KeySize = 2048;

Algorithm = SBConstants.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION;
Hash = SBConstants.Unit.SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION;

certificateRequest.Generate(Algorithm, KeySize, Hash);


Request:

-----BEGIN CERTIFICATE REQUEST-----
MIIC7DCCAdQCAQAwOTELMAkGA1UEBhMCYXIxFDASBgNVBAMTC3Rlc3QgdGVzaXRv
MRQwEgYDVQQFEwsyMDAwMDAwMDAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALV8m6tnkRwuJnozYlUhMBX2bUKnBK4ItcinBks4hBA5ltau6/Tfvs8d
fFch38qz7qRNWPeNsmwAYeUJrOxLgS/V9MlBD/oDHYYl+Wyu50kKV4yQ4CplPWMD
KxL+DEBK6ObcOaAIsc8GWEyyiwKR0dgCvhqtEL1fYOaiPG/zDxVanXRDRph3pe0n
ddVrjTUKmsfhrvsHy00txUFYnxODjYiDKCbjASu2cn1sVriKYpXBPMYm94Y0kEyc
ulqt/p/NJEBJ8+OAPBycR33E+PR/CwAQEZdSDx4L4rurm0Te3xUTaY/0Ux/p7b7j
5leoOeuOZW4V1V9vZ9wdBHxWSr1PkxsCAwEAAaBuMGwGCSqGSIb3DQEJDjFfMF0w
WwYDVR0RBFQwUoEQdHR0QHlhaG9vLmNvbS5hcqQ+MDwxFDASBgNVBAMMC3Rlc3Qg
dGVzaXRvMRkwFwYDVQQFDBBDVUlUPTIwMDAwMDAwMDAxMQkwBwYDVQQMDAAwDQYJ
KoZIhvcNAQEFBQADggEBAAu95Xs5aYaksPsRTQDwgTr4bdYxe3H7RR6NMYDWZTQ6
0no/uRm46NOt0s5Ump0BPSrx7yfK/t+QvC/0fRZ2WyMjMwQXz1kyZWxs9RMG4Ams
9+hQH1HU8XMW4UMqPwBkY0t4T1lZktwE0EeIfACUus1vu8MjBLasjAStCMHT5o35
ZsQ35kK7hdBTmfipkIcLQ+5bGZtAM94eKmuK4e/Poll9RkZib9929mOinUlaimCU
rDVh6nkYrYcYfW3SVJ5pd074ci4JdcBVhwW+KBXV5nOWgxwCgxM8B0EfjyxW5hdk
ei2mm7hy8RvZixgIV0HQyykebZwQILeLf6btNz6RUd4=
-----END CERTIFICATE REQUEST-----

Then modify the code as follows and generated the request

Code

TElCertificateRequest certificateRequest = new TElCertificateRequest();

certificateRequest.SetKeyMaterial(KM);
certificateRequest.PreserveKeyMaterial = true;
certificateRequest.Subject.Count = 3;

certificateRequest.Subject.set_Values(0, Encoding.Default.GetBytes(suscriptor.Pais));
certificateRequest.Subject.set_OIDs(0, SBConstants.Unit.SB_CERT_OID_COUNTRY);

certificateRequest.Subject.set_Values(1, Encoding.Default.GetBytes(suscriptor.CN));
certificateRequest.Subject.set_OIDs(1, SBConstants.Unit.SB_CERT_OID_COMMON_NAME);

certificateRequest.Subject.set_Values(2, Encoding.Default.GetBytes(suscriptor.Cuit.ToString()));
certificateRequest.Subject.set_OIDs(2, SBConstants.Unit.SB_CERT_OID_SERIAL_NUMBER);

certificateRequest.Extensions.Included = certificateRequest.Extensions.Included |
                   SBX509Ext.Unit.ceSubjectAlternativeName |
                   SBX509Ext.Unit.ceSubjectDirectoryAttributes;

int i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnRFC822Name;
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).RFC822Name = suscriptor.Email;

i = certificateRequest.Extensions.SubjectAlternativeName.Content.Add();
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).NameType = TSBGeneralName.gnDirectoryName;
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.Count = 3;

certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(0, SBStrUtils.__Global.StrToUTF8(suscriptor.CN));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(0, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(0, SBConstants.Unit.SB_CERT_OID_COMMON_NAME);

certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(1, SBStrUtils.__Global.StrToUTF8("CUIT=" + suscriptor.Cuit.ToString()));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(1, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(1, SBConstants.Unit.SB_CERT_OID_SERIAL_NUMBER);

certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Values(2, SBStrUtils.__Global.StrToUTF8(suscriptor.Titulo));
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_Tags(2, SBASN1Tree.__Global.SB_ASN1_UTF8STRING);
certificateRequest.Extensions.SubjectAlternativeName.Content.get_Names(i).DirectoryName.set_OIDs(2, SBConstants.Unit.SB_CERT_OID_TITLE);

/*********************************************************************************************/

byte[] oid = SBStrUtils.Unit.StrToOID("1.3.6.1.5.5.7.1.3");
certificateRequest.Extensions.OtherCount = 1;
TElCustomExtension ce = certificateRequest.Extensions.get_OtherExtensions(0);
ce.OID = oid;
byte[] value = { 0x30, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0b, 0x02, 0x30, 0x08, 0x06, 0x06, 0x60, 0x20, 0x01, 0x0a, 0x02, 0x02};
ce.Value = value;

/*********************************************************************************************/
KeySize = 2048;

Algorithm = SBConstants.Unit.SB_CERT_ALGORITHM_ID_RSA_ENCRYPTION;
Hash = SBConstants.Unit.SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTION;

certificateRequest.Generate(Algorithm, KeySize, Hash);



Request:

-----BEGIN CERTIFICATE REQUEST-----
MIIC7DCCAdQCAQAwOTELMAkGA1UEBhMCYXIxFDASBgNVBAMTC3Rlc3QgdGVzaXRv
MRQwEgYDVQQFEwsyMDAwMDAwMDAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALV8m6tnkRwuJnozYlUhMBX2bUKnBK4ItcinBks4hBA5ltau6/Tfvs8d
fFch38qz7qRNWPeNsmwAYeUJrOxLgS/V9MlBD/oDHYYl+Wyu50kKV4yQ4CplPWMD
KxL+DEBK6ObcOaAIsc8GWEyyiwKR0dgCvhqtEL1fYOaiPG/zDxVanXRDRph3pe0n
ddVrjTUKmsfhrvsHy00txUFYnxODjYiDKCbjASu2cn1sVriKYpXBPMYm94Y0kEyc
ulqt/p/NJEBJ8+OAPBycR33E+PR/CwAQEZdSDx4L4rurm0Te3xUTaY/0Ux/p7b7j
5leoOeuOZW4V1V9vZ9wdBHxWSr1PkxsCAwEAAaBuMGwGCSqGSIb3DQEJDjFfMF0w
WwYDVR0RBFQwUoEQdHR0QHlhaG9vLmNvbS5hcqQ+MDwxFDASBgNVBAMMC3Rlc3Qg
dGVzaXRvMRkwFwYDVQQFDBBDVUlUPTIwMDAwMDAwMDAxMQkwBwYDVQQMDAAwDQYJ
KoZIhvcNAQEFBQADggEBAAu95Xs5aYaksPsRTQDwgTr4bdYxe3H7RR6NMYDWZTQ6
0no/uRm46NOt0s5Ump0BPSrx7yfK/t+QvC/0fRZ2WyMjMwQXz1kyZWxs9RMG4Ams
9+hQH1HU8XMW4UMqPwBkY0t4T1lZktwE0EeIfACUus1vu8MjBLasjAStCMHT5o35
ZsQ35kK7hdBTmfipkIcLQ+5bGZtAM94eKmuK4e/Poll9RkZib9929mOinUlaimCU
rDVh6nkYrYcYfW3SVJ5pd074ci4JdcBVhwW+KBXV5nOWgxwCgxM8B0EfjyxW5hdk
ei2mm7hy8RvZixgIV0HQyykebZwQILeLf6btNz6RUd4=
-----END CERTIFICATE REQUEST-----


I get the following error

"Certificate not issued (Denied) Error Parsing Request The parameter is incorrect."


I think the problem may be that not assign a constant for QCStatement
Code
certificateRequest.Extensions.Included = certificateRequest.Extensions.Included |
                   SBX509Ext.Unit.ceSubjectAlternativeName |
                   SBX509Ext.Unit.ceSubjectDirectoryAttributes;
                   



and I can not find the constant for QCStatement

Code
public const int ceAuthorityInformationAccess = 8192;
public const int ceAuthorityKeyIdentifier = 1;
public const int ceBasicConstraints = 256;
public const int ceCertificatePolicies = 16;
public const int ceCommonName = 4194304;
public const int ceCRLDistributionPoints = 4096;
public const int ceExtendedKeyUsage = 2048;
public const int ceIssuerAlternativeName = 128;
public const int ceKeyUsage = 4;
public const int ceNameConstraints = 512;
public const int ceNetscapeBaseURL = 32768;
public const int ceNetscapeCAPolicyURL = 524288;
public const int ceNetscapeCARevokeURL = 131072;
public const int ceNetscapeCertType = 16384;
public const int ceNetscapeComment = 2097152;
public const int ceNetscapeRenewalURL = 262144;
public const int ceNetscapeRevokeURL = 65536;
public const int ceNetscapeServerName = 1048576;
public const int cePolicyConstraints = 1024;
public const int cePolicyMappings = 32;
public const int cePrivateKeyUsagePeriod = 8;
public const int ceSubjectAlternativeName = 64;
public const int ceSubjectDirectoryAttributes = 8388608;
public const int ceSubjectKeyIdentifier = 2;
                   
#35426
Posted: 01/07/2016 11:55:13
by Ken Ivanov (EldoS Corp.)

Thank you for the detailed information.

I am afraid both requests above are exactly the same. Could you please re-check if you've posted the second one correctly?

Ken
#35431
Posted: 01/07/2016 12:48:37
by Desarrollo Alpha (Standard support level)
Joined: 11/30/2015
Posts: 15

Thank you, this is the second request:

-----BEGIN CERTIFICATE REQUEST-----
MIIDDDCCAfQCAQAwOTELMAkGA1UEBhMCYXIxFDASBgNVBAMTC3Rlc3QgdGVzaXRv
MRQwEgYDVQQFEwsyMDAwMDAwMDAwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALV8m6tnkRwuJnozYlUhMBX2bUKnBK4ItcinBks4hBA5ltau6/Tfvs8d
fFch38qz7qRNWPeNsmwAYeUJrOxLgS/V9MlBD/oDHYYl+Wyu50kKV4yQ4CplPWMD
KxL+DEBK6ObcOaAIsc8GWEyyiwKR0dgCvhqtEL1fYOaiPG/zDxVanXRDRph3pe0n
ddVrjTUKmsfhrvsHy00txUFYnxODjYiDKCbjASu2cn1sVriKYpXBPMYm94Y0kEyc
ulqt/p/NJEBJ8+OAPBycR33E+PR/CwAQEZdSDx4L4rurm0Te3xUTaY/0Ux/p7b7j
5leoOeuOZW4V1V9vZ9wdBHxWSr1PkxsCAwEAAaCBjTCBigYJKoZIhvcNAQkOMX0w
ezBbBgNVHREEVDBSgRB0dHRAeWFob28uY29tLmFypD4wPDEUMBIGA1UEAwwLdGVz
dCB0ZXNpdG8xGTAXBgNVBAUMEENVSVQ9MjAwMDAwMDAwMDExCTAHBgNVBAwMADAc
BgAEGDAWMBQGCCsGAQUFBwsCMAgGBmAgAQoCAjANBgkqhkiG9w0BAQUFAAOCAQEA
R/7JA+D8ALcGDtef8jVolp8pHGaGzso9Eif8VLKka2OHG+7GGGwClDJaGr/l6kAK
/v3yn2iIVYcbPi6xTjDvndEbkYSHf4Z/hWrwkXDl+piMng7JKTVtYsyAVC7NN9P9
bgOIcgimw/KGHnjH4G+rjlQlHYtgjtMdgZCqjQ1qPLMdxgghc0BD+IKlYjJcO/+S
2im3+a4YwsBgJRg1jwtf+t5NX9rWpn42DFod5tZf1izkligP26oGy9axEfTJ/BiV
RQPVKAJCFoZ1D6lduS5e9ejOScksU/L0NeSOyP/ddAgrsN9AYmFA0QNZPM+/2+1Q
NGB8f2dwePzmpTYvPJ0ecQ==
-----END CERTIFICATE REQUEST-----
#35435
Posted: 01/07/2016 14:54:50
by Ken Ivanov (EldoS Corp.)

Hi,

Thank you for the updated request. I can see the problem now.

Please try swapping the assignments of the custom extension's OID and Value properties in your code:

Code
byte[] value = { 0x30, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x0b, 0x02, 0x30, 0x08, 0x06, 0x06, 0x60, 0x20, 0x01, 0x0a, 0x02, 0x02};
ce.Value = value;

byte[] oid = SBStrUtils.Unit.StrToOID("1.3.6.1.5.5.7.1.3");
certificateRequest.Extensions.OtherCount = 1;
TElCustomExtension ce = certificateRequest.Extensions.get_OtherExtensions(0);
ce.OID = oid;


This change should help.

Ken
#35461
Posted: 01/08/2016 08:43:18
by Desarrollo Alpha (Standard support level)
Joined: 11/30/2015
Posts: 15

Thank you. it works.
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 1979 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!