Re: 802.1AR certificate generation and the config file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Why thank you, Viktor.  Let's see if I can get this right from RFC4108

On 08/11/2017 12:47 PM, Viktor Dukhovni wrote:

On Fri, Aug 11, 2017 at 03:29:25PM +0000, Salz, Rich via openssl-users wrote:


In the certificate extensions section you do something like:
	subjectAltName = dns:www.example.com, IP:127.0.0.1
and so on.  The "pki.tgz"


And further it seems you are saying there is no support for HMN at all.

Right.

>From the x509v3_config manpage:

     ARBITRARY EXTENSIONS
        If an extension is not supported by the OpenSSL code then it must be
        encoded using the arbitrary extension format. It is also possible to
        use the arbitrary format for supported extensions. Extreme care should
        be taken to ensure that the data is formatted correctly for the given
        extension type.

        There are two ways to encode arbitrary extensions.

        The first way is to use the word ASN1 followed by the extension content
        using the same syntax as ASN1_generate_nconf(3).  For example:

         1.2.3.4=critical,ASN1:UTF8String:Some random data

         1.2.3.4=ASN1:SEQUENCE:seq_sect

         [seq_sect]

         field1 = UTF8:field1
         field2 = UTF8:field2

        It is also possible to use the word DER to include the raw encoded data
        in any extension.

         1.2.3.4=critical,DER:01:02:03:04
         1.2.3.4=DER:01020304

        The value following DER is a hex dump of the DER encoding of the
        extension Any extension can be placed in this form to override the
        default behaviour.  For example:

         basicConstraints=critical,DER:00:01:02:03


      id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
        iso(1) identified-organization(3) dod(6) internet(1) security(5)
        mechanisms(5) pkix(7) on(8) 4 }


      HardwareModuleName ::= SEQUENCE {
        hwType OBJECT IDENTIFIER,
        hwSerialNum OCTET STRING }

   The fields of the HardwareModuleName type have the following
   meanings:

   hwType is an object identifier that identifies the type of hardware
      module.  A unique object identifier names a hardware model and
      revision.

   hwSerialNum is the serial number of the hardware module.  No
      particular structure is imposed on the serial number; it need not
      be an integer.  However, the combination of the hwType and
      hwSerialNum uniquely identifies the hardware module.

In my [ 8021ar_idevid ] section I would have a line:

1.3.6.1.5.5.7.8.4=ASN1:SEQUENCE:HardwareModuleName

then have:

[ HardwareModuleName ]
hwType= ??
hwSerialNum= ??
I would want the 'openssl req' command to prompt for hwType and hsSerialNum. At least for now. 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux