OSU client CSR/Certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello

I want to generate csr for OSU client. The requirements for csr
described in Technical specification Hotspot 2.0 R2 Chapter 7.6.1

I will quote them here

```
EST clients shall support the following identity attributes and
include such information, when applicable, in a CSR if the attributes
are returned by the OSU server in a CSR Attributes response:
- macAddress (OID 1.3.6.1.1.1.1.22), encoded as an IA5STRING type
- imei (OID 1.3.6.1.4.1.40808.1.1.3), encoded as an IA5STRING type
- meid (OID 1.3.6.1.4.1.40808.1.1.4), encoded as a BITSTRING type
- DevId (OID 1.3.6.1.4.1.40808.1.1.5), encoded as a PRINTABLESTRING type

The /csrattrs response, per EST [36], is an ASN.1 SEQUENCE OF objects
and attributes, and each attribute is a SEQUENCE consisting of an
object and a SET that contains 1 or more objects. The listed identity
objects shall be represented in the /csrattrs response as an attribute
of Extension Request (OID 1.2.840.113549.1.9.14) and the specific
identity objects shall be contained in the attribute's SET. Any
identity object included in the resulting CSR shall be added as a
PKCS#9 Extension Request [12].
```

I tried to generate csr that complied with described requirement.
there is text representation of it. I deleted modulus value, it does
not matter for my question.
```
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = FI, L = Tuusula, O = local, CN = my.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        Attributes:
            1.3.6.1.4.1.40808.1.1.5  :testid
            1.3.6.1.1.1.1.22         :aa:bb:cc:dd:ee:ff
            1.3.6.1.4.1.40808.1.1.4  :22222222222222
            1.3.6.1.4.1.40808.1.1.3  :111111111111111
        Requested Extensions:
            1.3.6.1.1.1.1.22:
                ..aa:bb:cc:dd:ee:ff
            1.3.6.1.4.1.40808.1.1.3:
                ..111111111111111
            1.3.6.1.4.1.40808.1.1.4:
                ...22222222222222
            1.3.6.1.4.1.40808.1.1.5:
                ..testid
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage:
                1.3.6.1.4.1.40808.1.1.2
    Signature Algorithm: sha256WithRSAEncryption
```

Can somebody confirm/disprove that I correctly generate csr?
Why I think that my csr is correct.

> EST clients shall support the following identity attributes
I included macAddress, imei, meid, DevId as attributes in csr.

> Any identity object included in the resulting CSR shall be added as a PKCS#9 Extension Request
rfc2985 (PKCS #9) states that  > The extensionRequest attribute type
may be used to carry information about certificate extensions the
requester wishes to be included in a certificate.
And give that definition
```
ExtensionRequest ::= Extensions
```
So I include macAddress, imei, meid, DevId as requested extension in csr.

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux