PKCS#10 (CSR) Attributes containing non-critical Extensions

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

PKCS#10 (CSR) Attributes containing non-critical Extensions

yhetheridge
I have created a Certificate Signing Request (CSR) with non-null
Attribute.  I have created the Attribute entries a number of ways.  The
most important method is that of creating a CSR,
org.bouncycastle.asn1.pkcs.CertificationRequestInfo, with the Attribute
entry being a DERTaggedObject like that in the class instantiation to
match the optional [3] tag in the X.509V3 certificate extension.

I have passed the resulting structure to "openssl req" to see what it
does with this attribute.  It totally confuses "openssl" because it
seems to be expecting each Attribute to be an ASN1Set consisting of
(DERObjectIdentity, Object value) encoded pairs.

I have also generated my ASN1Set Attributes in the "openssl" manner.  
"openssl" decodes the CSR Attributes to show the Object ID, with a
statement that it didn't know what to do with the Object value.  This
was true even when the encoded Extension was the well-known Basic
Constraints Extension.

Surely what I'm doing is not a total waste of time.  CSRs containing
required Extensions for a certificate request is not an extraordinary
expectation.

Can someone direct me to the correct path?

Thanks,

yhe