search

PeculiarVentures / PKI.js

PKI.js is a pure JavaScript library implementing the formats that are used in PKI applications (signing, encryption, certificate requests, OCSP and TSP requests/responses). It is built on WebCrypto (Web Cryptography API) and requires no plug-ins.
http://pkijs.org
Other
1.3k stars 204 forks source link

Adding the principal name of the subscriber in the SubjectAltName extension as a UPN (1.3.6.1.4.1.311.20.2.3) #323

Closed xomilders closed 3 years ago

xomilders commented 3 years ago

Hi,

I am using PKIJS to generate PKCS10 and am having a bit of a hard time determining precisely how to construct this OtherName value for 1.3.6.1.4.1.311.20.2.3 like so:

Screen Shot 2021-07-13 at 2 12 32 PM

I have tried to figure out how to properly construct the OtherName, and I drew from this post, but I think maybe using a sequence is wrong (see https://stackoverflow.com/questions/44290311/how-can-the-upnname-user-principal-name-be-set-with-bouncycastle-x509v3certifi). I have tried adding the ObjectIdentifier and the Utf8String as separate GeneralNames instead of using a sequence, but this is also not quite it. 

function generateSubjectAltNames(upn, email) {

    var subAltPrincipalSeq = new asn1js.Sequence({
        value: [
            new asn1js.ObjectIdentifier({ value: "1.3.6.1.4.1.311.20.2.3" }),
            new asn1js.Utf8String({ value: upn })
        ]
    });

    var altNames = new pkijs.AltName({
        altNames: [
            new pkijs.GeneralName({
                type: 1, // rfc822Name
                value: email
            }), 
            new pkijs.GeneralName({
                type: 0, // Other Name
                value: subAltPrincipalSeq
            })
        ]
    });

    var altNamesExt = new pkijs.Extension({
        extnID: "2.5.29.17",
        critical: false,
        extnValue: altNames.toSchema().toBER(false)
    });

    return altNamesExt;
}

Thank you for shedding any light on my issue and for all your efforts creating and maintaining PKIJS.

Best,

Seth Milder

xomilders commented 3 years ago

BTW, this is the structure I am attempting to create: goal.txt

I fiddled with it a bit, and this code seems to get close to the mark:

                                             `var altNames = new pkijs.AltName({
                        altNames: [
                            new pkijs.GeneralName({
                                type: 1, // rfc822Name
                                value: email
                            }),
                            new pkijs.GeneralName({
                                type: 0, // Other Name
                                value:
                                    new asn1js.ObjectIdentifier({ value: "1.3.6.1.4.1.311.20.2.3" })

                            }),
                            new pkijs.GeneralName({
                                type: 0, // Other Name
                                value:
                                    new asn1js.Utf8String({ value: upn })
                            })
                        ]
                    });

                    var altNamesExt = new pkijs.Extension({
                        extnID: "2.5.29.17",
                        critical: false,
                        extnValue: altNames.toSchema().toBER(false)
                    });`

It produces this structure, which while seemingly close, is clearly wrong (right hand side is correct):

Screen Shot 2021-07-13 at 10 22 41 PM

current.txt

Thanks,

Seth Milder

microshine commented 3 years ago

JS

const altName = new pkijs.GeneralNames({
  names: [
    new pkijs.GeneralName({
      type: 0,
      value: new asn1js.Sequence({
          value: [
            new asn1js.ObjectIdentifier({ value: "1.3.6.1.4.1.311.20.2.3" }),
            new asn1js.Constructed({
              idBlock: {
                tagClass: 3,
                tagNumber: 0 // [0]
              },
              value: [new asn1js.Utf8String({ value: "some other name" })],
            }),
          ]
        }).valueBlock,
    }),
  ],
});

const altNameExt = new pkijs.Extension({
  extnID: "2.5.29.17",
  critical: false,
  extnValue: altName.toSchema().toBER(),
  parsedValue: altName,
});

const altNameRaw = altNameExt.toSchema().toBER();

Enoced raw (HEX)

302a0603551d1104233021a01f060a2b060104018237140203a0110c0f736f6d65206f74686572206e616d65

ASN.1

SEQUENCE (2 elem)
  OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
  OCTET STRING (35 byte) 3021A01F060A2B060104018237140203A0110C0F736F6D65206F74686572206E616D65
    SEQUENCE (1 elem)
      [0] (2 elem)
        OBJECT IDENTIFIER 1.3.6.1.4.1.311.20.2.3 universalPrincipalName (Microsoft UPN)
        [0] (1 elem)
          UTF8String some other name
xomilders commented 3 years ago

This is fantastic! Thank you so much! It works perfectly now. You guys rock 🙂

Best, Seth

From: Miroshin Stepan @.> Sent: Wednesday, July 21, 2021 6:36 AM To: PeculiarVentures/PKI.js @.> Cc: Seth Milder @.>; Author @.> Subject: Re: [EXTERNAL] [PeculiarVentures/PKI.js] Adding the principal name of the subscriber in the SubjectAltName extension as a UPN (1.3.6.1.4.1.311.20.2.3) (#323)

JS

const altName = new pkijs.GeneralNames({ names: [ new pkijs.GeneralName({ type: 0, value: new asn1js.Sequence({ value: [ new asn1js.ObjectIdentifier({ value: "1.3.6.1.4.1.311.20.2.3" }), new asn1js.Constructed({ idBlock: { tagClass: 3, tagNumber: 0 // [0] }, value: [new asn1js.Utf8String({ value: "some other name" })], }), ] }).valueBlock, }), ], });

const altNameExt = new pkijs.Extension({ extnID: "2.5.29.17", critical: false, extnValue: altName.toSchema().toBER(), parsedValue: altName, });

const altNameRaw = altNameExt.toSchema().toBER();

Enoced raw (HEX)

302a0603551d1104233021a01f060a2b060104018237140203a0110c0f736f6d65206f74686572206e616d65

ASN.1

SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension) OCTET STRING (35 byte) 3021A01F060A2B060104018237140203A0110C0F736F6D65206F74686572206E616D65 SEQUENCE (1 elem) [0] (2 elem) OBJECT IDENTIFIER 1.3.6.1.4.1.311.20.2.3 universalPrincipalName (Microsoft UPN) [0] (1 elem) UTF8String some other name

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_PeculiarVentures_PKI.js_issues_323-23issuecomment-2D884084836&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=d_hyPVrUocP59JCzVrCDIiiY0-SMdUuq1yGIg1cJCck&m=bAiFLyLvZdZhEy-qC-4_icy3TMH95spKJKaLgNKNSbY&s=Yz79hcEanEN2JkqvXKpfkZExoIAfl7cT0a3PXltGvkA&e=, or unsubscribehttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_APPHDZ42BDG24M3VAQ6EPZ3TY2PJRANCNFSM5AKAUYEQ&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=d_hyPVrUocP59JCzVrCDIiiY0-SMdUuq1yGIg1cJCck&m=bAiFLyLvZdZhEy-qC-4_icy3TMH95spKJKaLgNKNSbY&s=Sw05VR1T3n0riQen6MflCvOWUtDW7BflIfOeADT4Lic&e=.