Quantcast

Parsing a CSR

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Parsing a CSR

Guillaume ROMAGNY - CAcert support
Hello,

I need to parse and extract attributes from a CSR.

Do you have any method to make it easier, please ?

background :

We (CAcert.org) issues X509 certs but we cannot rely on the
data/extensions provided by the users in the CSR. So we need to fetch
data (example : the Subject Alt Names), check the users' account, then
rebuild a new CSR with the proper pubkey+ID+extensions & finally sign it.

What I try :

I read the initial csr data from the user in .pem format then put it in
a PKCS10CertificationRequest (as stated in the wiki). it's fine.

After it gets more complicated.

ASN1Set as = cri.getAttributes();
Enumeration e = as.getObjects();

after unbinding several enumerations:
if (ooooo instanceof DERObjectIdentifier) {
DERObjectIdentifier doi = (DERObjectIdentifier) ooooo;
System.out.println(doi.getId());
}

so doi.getId() can be compared to X509Extensions.SubjectAlternativeName
value

then

if (ooooo instanceof DEROctetString) { DEROctetString dos =
(DEROctetString) ooooo; byte[] bt = dos.getOctets();

ok I can fetch the data I need, but it is not really convenient :
class org.bouncycastle.asn1.DEROctetString
0+grhq.netgr.homeunix.orgdelta.grhq.net

I wanted to put the DEROctetString into a DERSequence trying to map it
to a GeneralNames object but it fails.

I also tried ASN1OctetStringParser aosp = dos.parser() but I went nowhere.

Thanks for reading so far !

Best regards,

Guillaume

--
CAcert Support, Guillaume Romagny (en_FR)
www.CAcert.org - Free Certificates!

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Parsing a CSR

David Hook-4

The value of an extension is OCTET STRING, the value of which is the DER
encoding of the actual object represented by the OID for the extension.
It looks like the last step is being missed.

Try

GeneralNames.getInstance(ASN1Object.fromByteArray(ooooo.getOctets()));

Regards,

David

On Mon, 2007-06-11 at 13:11 +0200, Guillaume ROMAGNY - CAcert support
wrote:

> Hello,
>
> I need to parse and extract attributes from a CSR.
>
> Do you have any method to make it easier, please ?
>
> background :
>
> We (CAcert.org) issues X509 certs but we cannot rely on the
> data/extensions provided by the users in the CSR. So we need to fetch
> data (example : the Subject Alt Names), check the users' account, then
> rebuild a new CSR with the proper pubkey+ID+extensions & finally sign it.
>
> What I try :
>
> I read the initial csr data from the user in .pem format then put it in
> a PKCS10CertificationRequest (as stated in the wiki). it's fine.
>
> After it gets more complicated.
>
> ASN1Set as = cri.getAttributes();
> Enumeration e = as.getObjects();
>
> after unbinding several enumerations:
> if (ooooo instanceof DERObjectIdentifier) {
> DERObjectIdentifier doi = (DERObjectIdentifier) ooooo;
> System.out.println(doi.getId());
> }
>
> so doi.getId() can be compared to X509Extensions.SubjectAlternativeName
> value
>
> then
>
> if (ooooo instanceof DEROctetString) { DEROctetString dos =
> (DEROctetString) ooooo; byte[] bt = dos.getOctets();
>
> ok I can fetch the data I need, but it is not really convenient :
> class org.bouncycastle.asn1.DEROctetString
> 0+grhq.netgr.homeunix.orgdelta.grhq.net
>
> I wanted to put the DEROctetString into a DERSequence trying to map it
> to a GeneralNames object but it fails.
>
> I also tried ASN1OctetStringParser aosp = dos.parser() but I went nowhere.
>
> Thanks for reading so far !
>
> Best regards,
>
> Guillaume
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Parsing a CSR

Guillaume ROMAGNY - CAcert support
In reply to this post by Guillaume ROMAGNY - CAcert support
Hi David,

David Hook [[hidden email]] a écrit :
>
> The value of an extension is OCTET STRING, the value of which is the DER
> encoding of the actual object represented by the OID for the extension.
> It looks like the last step is being missed.
>
> Try
>
> GeneralNames.getInstance(ASN1Object.fromByteArray(ooooo.getOctets()));
>
Thank you this is perfectly what I needed.

DEROctetString dos = (DEROctetString) ooooo;
byte[] bt = dos.getOctets();

GeneralNames gns =
 GeneralNames.getInstance(ASN1Object.fromByteArray(dos.getOctets()));

GeneralName[] gnt = gns.getNames();

for (int j = 0;j<gnt.length;j++) {
 DERIA5String st = DERIA5String.getInstance(gnt[j].getName());
 System.out.println("name="+st.getString());
 System.out.println("tag="+gnt[j].getTagNo());
}

=>
class org.bouncycastle.asn1.DEROctetString
0+‚grhq.net‚gr.homeunix.org‚delta.grhq.net
name=grhq.net
tag=2
name=gr.homeunix.org
tag=2
name=delta.grhq.net
tag=2

So we can check easily the domain names with our user database. Then we can directly put the GeneralName(s) objects in the new cert.

I've learnt ASN1 at school but it is a nightmare for me like EDI :) ok EDI is more human readable

Best regards,

Guillaume


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Parsing a CSR

Nuno Ponte-2
    Guillaume,

   Be aware that changing the attributes will invalidate the CSR.

   Regards,

           Nuno Ponte


On 6/11/07, Guillaume Romagny <[hidden email]> wrote:

> Hi David,
>
> David Hook [[hidden email]] a écrit :
> >
> > The value of an extension is OCTET STRING, the value of which is the DER
> > encoding of the actual object represented by the OID for the extension.
> > It looks like the last step is being missed.
> >
> > Try
> >
> > GeneralNames.getInstance(ASN1Object.fromByteArray(ooooo.getOctets()));
> >
> Thank you this is perfectly what I needed.
>
> DEROctetString dos = (DEROctetString) ooooo;
> byte[] bt = dos.getOctets();
>
> GeneralNames gns =
>  GeneralNames.getInstance(ASN1Object.fromByteArray(dos.getOctets()));
>
> GeneralName[] gnt = gns.getNames();
>
> for (int j = 0;j<gnt.length;j++) {
>  DERIA5String st = DERIA5String.getInstance(gnt[j].getName());
>  System.out.println("name="+st.getString());
>  System.out.println("tag="+gnt[j].getTagNo());
> }
>
> =>
> class org.bouncycastle.asn1.DEROctetString
> 0+‚ grhq.net‚ gr.homeunix.org‚ delta.grhq.net
> name=grhq.net
> tag=2
> name=gr.homeunix.org
> tag=2
> name=delta.grhq.net
> tag=2
>
> So we can check easily the domain names with our user database. Then we can directly put the GeneralName(s) objects in the new cert.
>
> I've learnt ASN1 at school but it is a nightmare for me like EDI :) ok EDI is more human readable
>
> Best regards,
>
> Guillaume
>
>
>

Loading...