Closed joydeeprony89 closed 5 years ago
YuryStrozhevsky
commented
5 years ago @joydeeprony89 The attribute has OctetString value, not a PrintableString. So use this to encode value:
import { stringToArrayBuffer } from "pvutils";
new OctetString({ valueHex: stringToArrayBuffer("passwordChallenge") })
joydeeprony89
commented
5 years ago I have tried using OctetString and when I am trying to decode it using https://www.sslchecker.com/csr/decode I am not able to see the 'passwordChallenge' as an value for Challenge passphrase.
YuryStrozhevsky
commented
5 years ago @joydeeprony89 Just found that RFC2312 describes the extention like:
ChallengePassword ::= CHOICE {
PrintableString, T61String, UNIVERSAL STRING }So, the correct way how to represent it in PCKS#10 is this:
pkcs10.attributes.push(new Attribute({
type: "1.2.840.113549.1.9.14", // pkcs-9-at-extensionRequest
values: [(new Extensions({
extensions: [
new Extension({
extnID: "2.5.29.14",
critical: false,
extnValue: (new asn1js.OctetString({ valueHex: result })).toBER(false)
}),
new Extension({
extnID: "2.5.29.17",
critical: false,
extnValue: altNames.toSchema().toBER(false)
}),
new Extension({
extnID: "1.2.840.113549.1.9.7",
critical: false,
extnValue: (new asn1js.OctetString({
valueHex: new asn1js.PrintableString({ value: "passwordChallange" })
})).toBER(false)
})
]
})).toSchema()]
}));Have no idea why "CSR Decoder" does not decode the extention correctly. With the code above I was able at least to have information about "challenge password" extension under "ASN.1" pushbutton on the site.
joydeeprony89
commented
5 years ago Do we have any documentation for how do we add different Extensions, I have to add KeyUsages, EnhancedKeyUsages and SubjectAlternativeNames. I am not getting any guide or recommendation how to add those extensions using pkijs.
joydeeprony89
commented
5 years ago I am trying to add KeyUsage 2.5.29.15 and I am trying something like below
new Extension({
extnID: "2.5.29.15",
critical: false,
extnValue: keyUsage.toBER(false)const keyUsage = new asn1js.OctetString({valueHex: this.createKeyUsage(certificateAttributes.keyUsage)});
public createKeyUsage(keyUsage: string){
if(keyUsage !='0xFFFF'){
const bitArray = new ArrayBuffer(1);
const bitView = new Uint8Array(bitArray);
switch(keyUsage){
case '0':
bitView[0] |= 0x0000; // Key usage "None" flag
break;
case '1':
bitView[0] |= 0x0001; // Key usage "EncipherOnly" flag
break;
case '2':
bitView[0] |= 0x0002; // Key usage "CrlSign" flag
case '4':
bitView[0] |= 0x0004; // Key usage "KeyCertSign" flag
break;
case '8':
bitView[0] |= 0x0008; // Key usage "KeyAgreement" flag
break;
case '16':
bitView[0] |= 0x0010; // Key usage "DataEncipherment" flag
break;
case '32':
bitView[0] |= 0x0020; // Key usage "KeyEncipherment" flag
break;
case '64':
bitView[0] |= 0x0040; // Key usage "NonRepudiation" flag
break;
case '128':
bitView[0] |= 0x0080; // Key usage "DigitalSignature" flag
break;
case '32768':
bitView[0] |= 0x8000; // Key usage "DecipherOnly" flag
break;
}
return new asn1js.BitString({ valueHex: bitArray });
}
}is it the proper way which i am currently doing for keyUsage ?
joydeeprony89
commented
5 years ago Yes I am able to see some hex value is present in section "ASN.1" pushbutton on the site which is similar to what it is displaying for Challenge passphrase field. I have used this same website to decode another CSR which is generated using .net code and I am able to see the correct value for challenge in that case.
joydeeprony89
commented
5 years ago Your code is breaking with this error Error signing PKCS#10: Error during exporting public key: TypeError: parameters.valueHex.slice is not a function
YuryStrozhevsky
commented
5 years ago @joydeeprony89 Yes, I put here not a final code accedentally
new Extension({
extnID: "1.2.840.113549.1.9.7",
critical: false,
extnValue: (new asn1js.OctetString({
valueHex: new asn1js.PrintableString({ value: "passwordChallenge" })
})).toBER(false)
})As for keyUsage - seems you already checked the code under CertificateComplexExample directory.
joydeeprony89
commented
5 years ago Your code is not working throwing error.
YuryStrozhevsky
commented
5 years ago new Extension({
extnID: "1.2.840.113549.1.9.7",
critical: false,
extnValue: (new PrintableString({ value: "passwordChallenge" })).toBER(false)
})Made a change in a temporary file, now it is correct.
joydeeprony89
commented
5 years ago with your change after creating the CSR when I am decoding it still not able to see the correct value "passwordChallenge" in challenge password field. you mentioned you made a change in temporary file, how do I get the change ?
After decoding I can see below value : Challenge passphrase 131170617373776F72644368616C6C656E6765 and in asn1 section I am seeing below value of type OCTET STRING, I believe this has be Printable String.
398:d=7 hl=2 l= 9 prim: OBJECT :challengePassword 409:d=7 hl=2 l= 19 prim: OCTET STRING [HEX DUMP]:131170617373776F72644368616C6C656E6765
YuryStrozhevsky
commented
5 years ago @joydeeprony89 As I said it is not a problem of PKI.js but of the "CSR Decoder". Address the issue to them. Here is a pure ASN.1 decoding of PKCS#10 request:
SEQUENCE {
SEQUENCE {
INTEGER 0
SEQUENCE {
SET {
SEQUENCE {
OBJECT IDENTIFIER countryName (2 5 4 6)
PrintableString 'RU'
}
SEQUENCE {
OBJECT IDENTIFIER commonName (2 5 4 3)
UTF8String 'Simple test (....... ....)'
}
}
}
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
NULL
}
BIT STRING, encapsulates {
SEQUENCE {
INTEGER
00 DA 3C 51 79 FC 2D 24 AC EA 43 FD 00 7F B7 9F
76 75 02 13 AB 59 C4 45 F8 AE 0E 47 9C 76 76 83
EA 5B 6D BF 05 61 16 FC 26 ED 04 D2 3A 69 FD 15
C7 79 28 2D 28 81 70 FE 00 FF B9 DB EA 0F 65 0A
47 A5 A5 E2 9F BF 36 FB F0 3E E2 D9 CD 4D 13 35
A3 41 66 F3 3C 0B C1 76 BC A9 DB 15 A1 38 FD CB
53 30 E8 06 EA BB 72 BF 6E 50 53 DA B9 FA 37 6D
67 86 2F 3A 45 83 74 45 A7 90 0C 2F 42 35 61 FC
[ Another 129 bytes skipped ]
INTEGER 65537
}
}
}
[0] {
SEQUENCE {
OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
SET {
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
OCTET STRING, encapsulates {
OCTET STRING 24 4C B0 1A 27 5D 90 55 5A 6C B0 0C 0E B3 F5 7A 47 FA A8 E6
}
}
SEQUENCE {
OBJECT IDENTIFIER subjectAltName (2 5 29 17)
OCTET STRING, encapsulates {
SEQUENCE {
[1] 'email@address.com'
[2] 'www.domain.com'
[2] 'www.anotherdomain.com'
[7] C0 A8 00 01
}
}
}
SEQUENCE {
OBJECT IDENTIFIER challengePassword (1 2 840 113549 1 9 7)
OCTET STRING, encapsulates {
PrintableString 'passwordChallange'
}
}
}
}
}
}
}
SEQUENCE {
OBJECT IDENTIFIER sha384WithRSAEncryption (1 2 840 113549 1 1 12)
}
BIT STRING
02 B0 BA 06 42 C3 7E 4F CF 21 B7 B1 7A 87 36 FF
9E 2C AB 8A 50 96 07 9F B9 54 4A CE 03 85 2C 20
A9 26 86 0E 13 DC 54 19 0F 56 3E 7A 86 4A 84 BF
F1 56 BE 77 0E 37 57 E2 24 67 8A 1F F5 19 A4 36
99 BD 52 47 62 36 7C 58 1D D4 49 C5 7A E5 8C D9
F3 A2 14 70 83 B1 A1 04 FE 1A 5C DE F8 AE 8C CC
C6 65 58 27 96 3C 35 05 73 C7 71 86 62 07 7D 97
EF D7 CE 4F 40 8F 8E 48 BE 7F 90 1F 42 76 F9 97
[ Another 128 bytes skipped ]
}could you please share the entire working code I mean createCSRInternal() method with challenge and also you mentioned you made some change is temp file , do i need to do that ?
YuryStrozhevsky
commented
5 years ago I have updated PKCS#10 exampel
joydeeprony89
commented
5 years ago I will test with the generated CSR and will try to get a CA certificate using the generated CSR, I will update here based on finding.
joydeeprony89
commented
5 years ago I have used this example https://github.com/PeculiarVentures/PKI.js/blob/master/examples/PKCS10ComplexExample/es6.js to generate CSR and after decoding I dont see the challenge password value it is in encoded format still OCTET STRING.
0 799: SEQUENCE {
4 521: SEQUENCE {
8 1: INTEGER 0
11 59: SEQUENCE {
13 57: SET {
15 9: SEQUENCE {
17 3: OBJECT IDENTIFIER countryName (2 5 4 6)
22 2: PrintableString 'RU'
: }
26 44: SEQUENCE {
28 3: OBJECT IDENTIFIER commonName (2 5 4 3)
33 37: UTF8String 'Simple test (.............. ........)'
: }
: }
: }
72 290: SEQUENCE {
76 13: SEQUENCE {
78 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
89 0: NULL
: }
91 271: BIT STRING
: 30 82 01 0A 02 82 01 01 00 B7 02 81 95 96 3D F8
: E7 3F 15 FF D0 85 77 92 63 F3 54 5F E6 6E 5B 30
: CD 7E 7A 08 3F 56 6E 2D 64 A0 47 EB 7D 4E 05 3D
: 6D 4C 41 4B 4B CC 31 A6 10 74 1B 19 1A EC E2 E6
: 87 7C D9 1E 5B 69 AF 33 48 2D A2 A3 50 F1 06 48
: 21 3B 2A F5 93 1A 0C 07 C4 34 B3 5A 5F 76 C0 FB
: A9 B5 81 18 5A 71 19 73 44 33 C3 8E 1D 3A 6D 9A
: 39 05 95 09 22 66 29 A1 C3 02 D4 66 19 65 FE 1F
: [ Another 142 bytes skipped ]
: }
366 160: [0] {
369 157: SEQUENCE {
372 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
383 143: SET {
386 140: SEQUENCE {
389 29: SEQUENCE {
391 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
396 22: OCTET STRING
: 04 14 4F 67 9B 47 84 DA 60 97 40 D0 70 2E 6C B7
: AD 6D 2E 78 6A 45
: }
420 73: SEQUENCE {
422 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
427 66: OCTET STRING
: 30 40 81 11 65 6D 61 69 6C 40 61 64 64 72 65 73
: 73 2E 63 6F 6D 82 0E 77 77 77 2E 64 6F 6D 61 69
: 6E 2E 63 6F 6D 82 15 77 77 77 2E 61 6E 6F 74 68
: 65 72 64 6F 6D 61 69 6E 2E 63 6F 6D 87 04 C0 A8
: 00 01
: }
495 32: SEQUENCE {
497 9: OBJECT IDENTIFIER
: challengePassword (1 2 840 113549 1 9 7)
508 19: OCTET STRING
: 13 11 70 61 73 73 77 6F 72 64 43 68 61 6C 6C 65
: 6E 67 65
: }
: }
: }
: }
: }
: }
529 11: SEQUENCE {
531 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5)
: }
542 257: BIT STRING
: 09 38 18 D2 A3 50 A7 2C B5 53 00 D2 EE 83 7D C0
: 15 AB 0C 8D AD D2 47 DA 78 6A 64 DB BA D0 93 09
: 6A C4 9F EB 12 BC 55 0D C1 54 6F CC AE AB 83 FF
: 2F AA 5F CF 75 80 16 B1 C4 B3 B3 5F 3E 79 B8 6A
: 38 0D 22 0D 3C 6A 6A 94 2D BA 37 ED 4C E4 94 54
: DB 74 A3 79 D0 A1 39 3D EF EC 32 00 55 1F B0 A2
: 2F B4 26 8B 53 62 AE A4 42 2E BA 69 0C C3 03 F6
: F7 FB CD C1 5C 25 CC 64 09 B3 AF 34 F5 3F AC 79
: [ Another 128 bytes skipped ]
: }@joydeeprony89 Probably you are using dumpasn1 -e - it hides values incapsulated inside OCTET STRING. Her is the ASN.1 output with hexadecimal values.
<30 82 03 1F 30 82 02 09 02 01 00 30 3B 31 39 30 09 06 03 55 04 06 13 02>
SEQUENCE {
<30 82 02 09 02 01 00 30 3B 31 39 30 09 06 03 55 04 06 13 02 52 55 30 2C>
SEQUENCE {
<02 01 00>
INTEGER 0
<30 3B 31 39 30 09 06 03 55 04 06 13 02 52 55 30 2C 06 03 55 04 03 0C 25>
SEQUENCE {
<31 39 30 09 06 03 55 04 06 13 02 52 55 30 2C 06 03 55 04 03 0C 25 53 69>
SET {
<30 09 06 03 55 04 06 13 02 52 55>
SEQUENCE {
<06 03 55 04 06>
OBJECT IDENTIFIER countryName (2 5 4 6)
<13 02 52 55>
PrintableString 'RU'
}
<30 2C 06 03 55 04 03 0C 25 53 69 6D 70 6C 65 20 74 65 73 74 20 28 D0 BF>
SEQUENCE {
<06 03 55 04 03>
OBJECT IDENTIFIER commonName (2 5 4 3)
<0C 25 53 69 6D 70 6C 65 20 74 65 73 74 20 28 D0 BF D1 80 D0 BE D1 81 D1>
UTF8String 'Simple test (....... ....)'
}
}
}
<30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00>
SEQUENCE {
<30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00>
SEQUENCE {
<06 09 2A 86 48 86 F7 0D 01 01 01>
OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
<05 00>
NULL
}
<03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 DA 3C 51 79 FC 2D 24 AC EA 43>
BIT STRING, encapsulates {
<30 82 01 0A 02 82 01 01 00 DA 3C 51 79 FC 2D 24 AC EA 43 FD 00 7F B7 9F>
SEQUENCE {
<02 82 01 01 00 DA 3C 51 79 FC 2D 24 AC EA 43 FD 00 7F B7 9F 76 75 02 13>
INTEGER
00 DA 3C 51 79 FC 2D 24 AC EA 43 FD 00 7F B7 9F
76 75 02 13 AB 59 C4 45 F8 AE 0E 47 9C 76 76 83
EA 5B 6D BF 05 61 16 FC 26 ED 04 D2 3A 69 FD 15
C7 79 28 2D 28 81 70 FE 00 FF B9 DB EA 0F 65 0A
47 A5 A5 E2 9F BF 36 FB F0 3E E2 D9 CD 4D 13 35
A3 41 66 F3 3C 0B C1 76 BC A9 DB 15 A1 38 FD CB
53 30 E8 06 EA BB 72 BF 6E 50 53 DA B9 FA 37 6D
67 86 2F 3A 45 83 74 45 A7 90 0C 2F 42 35 61 FC
[ Another 129 bytes skipped ]
<02 03 01 00 01>
INTEGER 65537
}
}
}
<A0 81 A0 30 81 9D 06 09 2A 86 48 86 F7 0D 01 09 0E 31 81 8F 30 81 8C 30>
[0] {
<30 81 9D 06 09 2A 86 48 86 F7 0D 01 09 0E 31 81 8F 30 81 8C 30 1D 06 03>
SEQUENCE {
<06 09 2A 86 48 86 F7 0D 01 09 0E>
OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
<31 81 8F 30 81 8C 30 1D 06 03 55 1D 0E 04 16 04 14 24 4C B0 1A 27 5D 90>
SET {
<30 81 8C 30 1D 06 03 55 1D 0E 04 16 04 14 24 4C B0 1A 27 5D 90 55 5A 6C>
SEQUENCE {
<30 1D 06 03 55 1D 0E 04 16 04 14 24 4C B0 1A 27 5D 90 55 5A 6C B0 0C 0E>
SEQUENCE {
<06 03 55 1D 0E>
OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
<04 16 04 14 24 4C B0 1A 27 5D 90 55 5A 6C B0 0C 0E B3 F5 7A 47 FA A8 E6>
OCTET STRING, encapsulates {
<04 14 24 4C B0 1A 27 5D 90 55 5A 6C B0 0C 0E B3 F5 7A 47 FA A8 E6>
OCTET STRING 24 4C B0 1A 27 5D 90 55 5A 6C B0 0C 0E B3 F5 7A 47 FA A8 E6
}
}
<30 49 06 03 55 1D 11 04 42 30 40 81 11 65 6D 61 69 6C 40 61 64 64 72 65>
SEQUENCE {
<06 03 55 1D 11>
OBJECT IDENTIFIER subjectAltName (2 5 29 17)
<04 42 30 40 81 11 65 6D 61 69 6C 40 61 64 64 72 65 73 73 2E 63 6F 6D 82>
OCTET STRING, encapsulates {
<30 40 81 11 65 6D 61 69 6C 40 61 64 64 72 65 73 73 2E 63 6F 6D 82 0E 77>
SEQUENCE {
<81 11 65 6D 61 69 6C 40 61 64 64 72 65 73 73 2E 63 6F 6D>
[1] 'email@address.com'
<82 0E 77 77 77 2E 64 6F 6D 61 69 6E 2E 63 6F 6D>
[2] 'www.domain.com'
<82 15 77 77 77 2E 61 6E 6F 74 68 65 72 64 6F 6D 61 69 6E 2E 63 6F 6D>
[2] 'www.anotherdomain.com'
<87 04 C0 A8 00 01>
[7] C0 A8 00 01
}
}
}
<30 20 06 09 2A 86 48 86 F7 0D 01 09 07 04 13 13 11 70 61 73 73 77 6F 72>
SEQUENCE {
<06 09 2A 86 48 86 F7 0D 01 09 07>
OBJECT IDENTIFIER challengePassword (1 2 840 113549 1 9 7)
<04 13 13 11 70 61 73 73 77 6F 72 64 43 68 61 6C 6C 61 6E 67 65>
OCTET STRING, encapsulates {
<13 11 70 61 73 73 77 6F 72 64 43 68 61 6C 6C 61 6E 67 65>
PrintableString 'passwordChallange'
}
}
}
}
}
}
}
<30 0B 06 09 2A 86 48 86 F7 0D 01 01 0C>
SEQUENCE {
<06 09 2A 86 48 86 F7 0D 01 01 0C>
OBJECT IDENTIFIER sha384WithRSAEncryption (1 2 840 113549 1 1 12)
}
<03 82 01 01 00 02 B0 BA 06 42 C3 7E 4F CF 21 B7 B1 7A 87 36 FF 9E 2C AB>
BIT STRING
02 B0 BA 06 42 C3 7E 4F CF 21 B7 B1 7A 87 36 FF
9E 2C AB 8A 50 96 07 9F B9 54 4A CE 03 85 2C 20
A9 26 86 0E 13 DC 54 19 0F 56 3E 7A 86 4A 84 BF
F1 56 BE 77 0E 37 57 E2 24 67 8A 1F F5 19 A4 36
99 BD 52 47 62 36 7C 58 1D D4 49 C5 7A E5 8C D9
F3 A2 14 70 83 B1 A1 04 FE 1A 5C DE F8 AE 8C CC
C6 65 58 27 96 3C 35 05 73 C7 71 86 62 07 7D 97
EF D7 CE 4F 40 8F 8E 48 BE 7F 90 1F 42 76 F9 97
[ Another 128 bytes skipped ]
}Hello Yury, I tried to decode the CSR from the created CSR using pkijs complex example and I had tried to decode it using the openssl and below is the result
Data:
Version: 1 (0x0)
Subject: C = RU + CN = Simple test (\D0\BF\D1\80\D0\BE\D1\81\D1\82\D0\BE\D0\B9 \D1\82\D0\B5\D1\81\D1\82)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a3:14:10:f5:3e:64:45:15:c1:59:67:ce:4b:94:
f1:fe:82:31:ed:ce:09:2a:44:fa:bc:b0:df:08:01:
c6:b1:be:15:ce:de:e8:04:b1:6a:25:85:ea:0a:a4:
9d:94:c8:7f:2d:9a:4f:c7:f2:fc:d7:c7:f8:f9:c1:
72:4c:ae:20:40:d6:f9:a5:a2:4c:8e:32:9c:a3:bd:
8a:36:13:03:c9:82:0e:ca:42:05:db:3b:58:22:d2:
7c:95:b5:3e:6b:ef:40:0f:8b:32:22:48:5b:ff:c1:
4b:c7:55:ef:09:21:55:dc:e2:fa:bc:a4:b9:4a:eb:
10:74:78:78:2f:34:e8:ad:f3:9d:05:b8:58:d4:b6:
b4:9e:be:6c:1b:2a:e7:dc:90:6a:ef:d2:16:73:73:
7f:a1:d7:46:6d:b0:45:7f:e6:b6:25:c5:ab:bd:ee:
71:5b:88:d3:e0:57:74:4b:f5:59:d1:a2:26:d8:59:
53:f0:f9:b2:01:e2:57:f0:92:4f:68:51:67:52:f8:
c3:63:b7:2a:c8:94:6b:89:a6:c5:10:45:5a:8d:17:
58:34:87:45:19:a8:68:53:6f:72:62:cf:65:48:16:
de:1b:69:87:e7:b7:14:75:4c:75:a7:16:e0:71:13:
18:d1:64:f7:a1:c3:ea:a8:2f:a6:69:4c:e9:9d:59:
ae:ef
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Key Identifier:
9F:D7:D6:97:37:E1:D1:A3:4A:70:A3:2E:A5:B1:F9:07:54:0A:1B:CD
X509v3 Subject Alternative Name:
email:email@address.com, DNS:www.domain.com, DNS:www.anotherdomain.com, IP Address:192.168.0.1
challengePassword:
..passwordChallenge
Signature Algorithm: sha1WithRSAEncryption
7f:a4:eb:48:06:86:c9:00:88:8b:c4:88:ea:99:ee:5d:26:a0:
c8:29:1d:62:0f:77:9c:bf:d7:7c:c0:c9:8f:17:79:e4:f7:65:
df:67:0f:c7:0b:a0:bd:8f:de:d9:cb:3d:0f:a5:8c:7d:ea:ed:
75:17:5a:fb:77:aa:af:3c:16:39:3e:91:89:d2:f8:db:22:01:
79:6d:c1:d3:f6:fa:ca:f7:e2:e2:c0:c1:dc:2c:88:2d:f5:41:
db:af:ad:14:c9:19:2d:78:6c:f4:b5:51:55:48:a9:49:21:52:
d9:1e:bd:07:55:44:26:44:84:d1:a5:22:2b:c2:c9:94:11:3f:
0a:25:22:74:30:a7:98:d4:75:b3:b7:cb:b7:b9:d3:16:eb:5c:
89:bd:6a:3c:0f:59:d4:25:30:a4:a1:27:87:19:29:1f:a2:e8:
70:e7:29:37:9b:ee:61:bd:21:91:96:15:51:a8:7e:81:b0:39:
bc:7b:3b:b4:e7:56:c5:2d:58:f7:6b:a2:40:57:ca:09:a7:c3:
10:dd:56:d1:cf:bd:2f:7e:f5:7f:36:1b:9a:36:fb:76:e4:36:
1a:5c:4a:31:53:68:13:d4:71:ca:7c:ff:5f:2c:3b:05:a7:15:
73:45:eb:8f:4c:5e:8a:48:f8:46:a5:77:e0:0d:a8:5d:c8:de:
6f:82:fc:d2What I feel is challengePassword should be part of Attribute section currently there are no attributes. What do you think ?
YuryStrozhevsky
commented
5 years ago What I feel is that you try to use my experience in order to done your own work. Maybe you need to experiment by yourself? What do you think?
joydeeprony89
commented
5 years ago As you said you have a experience so I am just trying to use it to correct my understanding. I strongly believe the challengePassword should be added as a regular attribute instead of an extension attribute. Please do not miss judge me.
sequence = sequence.then(() => crypto.digest({ name: "SHA-1" }, pkcs10.subjectPublicKeyInfo.subjectPublicKey.valueBlock.valueHex))
.then(result => {
pkcs10.attributes.push(new Attribute({
type: "1.2.840.113549.1.9.7", // challengePassword
values: [new asn1js.PrintableString({ value: "password" }) ]
}));
pkcs10.attributes.push(new Attribute({
type: "1.2.840.113549.1.9.14", // pkcs-9-at-extensionRequest
values: [(new Extensions({
extensions: [
new Extension({
extnID: "2.5.29.14",
critical: false,
extnValue: (new asn1js.OctetString({ valueHex: result })).toBER(false)
}),
]
})).toSchema()]
}));
});So, what is a question/problem here? You want my opinion? I need to spend a time to investigate what your problem is?
rmhrisk
commented
5 years ago RFC: https://tools.ietf.org/html/rfc2986
Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE {
type ATTRIBUTE.&id({IOSet}),
values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{@type})
}And
attributes is a collection of attributes providing additional information about the subject of the certificate. Some attribute types that might be useful here are defined in PKCS #9. An example is the challenge-password attribute, which specifies a password by which the entity may request certificate revocation. Next RFC: https://tools.ietf.org/html/rfc2985
5.4.1 Challenge password
The challengePassword attribute type specifies a password by which an
entity may request certificate revocation. The interpretation of
challenge passwords is intended to be specified by certificate
issuers etc; no particular interpretation is required.
challengePassword ATTRIBUTE ::= {
WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
EQUALITY MATCHING RULE caseExactMatch
SINGLE VALUE TRUE
ID pkcs-9-at-challengePassword
}
A challenge-password attribute must have a single attribute value.
ChallengePassword attribute values generated in accordance with this
version of this document SHOULD use the PrintableString encoding
whenever possible. If internationalization issues make this
impossible, the UTF8String alternative SHOULD be used. PKCS #9-
attribute processing systems MUST be able to recognize and process
all string types in DirectoryString values.
Note - Version 1.1 of this document defined challengePassword as
having the syntax CHOICE {PrintableString, T61String}, but did
contain a note explaining that this might be changed to a CHOICE of
different string types in the future See also Note 2 in section
5.2.3.
Hello Team,
I am trying to add the challenge (1.2.840.113549.1.9.7) in pkcs10. Please provide an example how to achieve the same.
I have used something like below
when i am decoding using online decoder to verify is it created properly I am not able to get teh correct value for challenge. could you please provide an example how to add the challenge.