CODEWITHSUNDEEP
x509asn.1rfcderoid
Remy Grandin
Remy Grandin

Reputation: 1686

Where is the ASN1 moduels for certificate extention

I'm writing a DER parser for certificate requests in .net. I based myself on the RFC 2986 which described most of the content of the request with ASN.1 modules.

However, it don't define how is structured the extensionRequest (oid 1.2.840.113549.1.9.14). I've searched high and low but I'm not able to find another rfc or publicly available documentation which describe what structure it use, what types are expected, etc (ie, the ASN.1 module of the extensionRequest object and it's children)

Sample Der decoded :

SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (14 elem)
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1)
        NULL
      BIT STRING (1120 bit) 001100001000000110001001000000101000000110000001000000001011111100011…
        SEQUENCE (2 elem)
          INTEGER (1024 bit) 134193393845175687447721541202995749257369077931432148182685911334902…
          INTEGER 65537
    [0] (4 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.3.6.1.4.1.311.13.2.3 osVersion (Microsoft attribute)
        SET (1 elem)
          IA5String 10.0.19042.2
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.3.6.1.4.1.311.21.20 requestClientInfo (Microsoft attribute)
        SET (1 elem)
          SEQUENCE (4 elem)
            INTEGER 5
            UTF8String EDITED
            UTF8String EDITED\edited
            UTF8String MMC.EXE
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.3.6.1.4.1.311.13.2.2 enrolmentCSP (Microsoft attribute)
        SET (1 elem)
          SEQUENCE (3 elem)
            INTEGER 0
            BMPString Microsoft Software Key Storage Provider
            BIT STRING (0 bit)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
       vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv This sequence vvvvvvvvvvvvvvvvvvvvvvvvv
          SEQUENCE (2 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (153 byte) 308196A41430123110300E060355040B0C076469726E616D658204444E53318204444…
                SEQUENCE (9 elem)
                  [4] (1 elem)
                    SEQUENCE (1 elem)
                      SET (1 elem)
                        SEQUENCE (2 elem)
                          OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
                          UTF8String dirname
                  [2] (4 byte) DNS1
                  [2] (4 byte) DNS2
                  [1] (17 byte) [email protected]
                  [0] (2 elem)
                    OBJECT IDENTIFIER 1.3.6.1.4.1.311.25.1 ntdsReplication (Microsoft)
                    [0] (1 elem)
                      OCTET STRING (16 byte) ADC5FA58160E9F4ABB154A7DCEDC00A5
                  [7] (4 byte) 7F000002
                  [7] (16 byte) 00000000000000000000000000000001
                  [6] (3 byte) url
                  [0] (2 elem)
                    OBJECT IDENTIFIER 1.3.6.1.4.1.311.20.2.3 universalPrincipalName (Microsoft UPN)
                    [0] (1 elem)
                      UTF8String userprincipalname
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.14 subjectKeyIdentifier (X.509 extension)
              OCTET STRING (20 byte) 87E201CF0B06CB290C98E7DF67796CF46AD9D507
                OCTET STRING (20 byte) 87E201CF0B06CB290C98E7DF67796CF46AD9D507
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
    NULL
  BIT STRING (1024 bit) 101110000001101000110010011000110101111010001000011101110110001110000…

Do you know where I can find this info ?

Upvotes: 0

Views: 760

Answers (2)

user2259432
user2259432

Reputation: 2539

RFC 5912 has a fairly large set of PKIX-related ASN.1 modules collected into one RFC and altered to use ASN.1 extensions to more formally document open type fields (like the extnID/extnValue fields of Extension).

Upvotes: 0

Crypt32
Crypt32

Reputation: 13974

Certificate extensions is an PKCS#9 request attribute. Specifically, extensionRequest attribute type is defined in RFC 2985 §5.4.2:

extensionRequest ATTRIBUTE ::= {
    WITH SYNTAX ExtensionRequest
    SINGLE VALUE TRUE
    ID pkcs-9-at-extensionRequest
}
ExtensionRequest ::= Extensions

and in RFC 5280 Appendix A.1:

Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

Extension  ::=  SEQUENCE  {
    extnID      OBJECT IDENTIFIER,
    critical    BOOLEAN DEFAULT FALSE,
    extnValue   OCTET STRING
                -- contains the DER encoding of an ASN.1 value
                -- corresponding to the extension type identified
                -- by extnID
}

simply, attribute value is a SEQUENCE OF Extension type.

Upvotes: 1

Related Questions