adding keyusage to a PKCS10 request in JSS

Thu, 18 Jan 2007 12:00:33 -0800

I have almost no knowledge of ASN.1. That said, I'm trying to fill in the SET of Attributes in a call to:
CertificationRequestInfo(INTEGER version, Name subject, SubjectPublicKeyInfo subjectPublicKeyInfo, SET attributes) 

I'm building the SET of Attributes now using the following code:
SET attributeSet = new SET();
byte[] keyUsageByte = new byte[1];
keyUsageByte[0] = 0x80 & 0x40; //digital signature and non repudiation
 BIT_STRING keyUsage = new BIT_STRING(keyUsageByte, 1); // 1 padding bit
    OCTET_STRING os = new OCTET_STRING( keyUsage.getBits() );

    OBJECT_IDENTIFIER keyUsageOid = new OBJECT_IDENTIFIER( new long[] 
{2,5,29,15} );

Attribute keyUsage = new Attribute(keyUsageOid, os);
attributeSet.addElement(keyUsage);


I picked the basic framework for this out of a discussion over keyusage 
for a certificate from this forum post:

http://groups-beta.google.com/group/netscape.public.mozilla.crypto/browse_frm/thread/f1b9c34967212455/168cd3a9d54b90e3?lnk=gst&q=keyusage+jss&rnum=3#168cd3a9d54b90e3


I know he was building up "Extension" and I'm trying to build up an 
"Attribute".



When I send off the request to the RedHat CA (which you guys tell me is 
underpinned heavily by JSS) I get "Missing or malformed KeyGen, PKCS #10 
or CRMF request."


Using openssl asn1parse, here's the keyusage part:
  310:d=3  hl=2 l=  10 cons: SEQUENCE
  312:d=4  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  317:d=4  hl=2 l=   3 cons: SET
  319:d=5  hl=2 l=   1 prim: OCTET STRING
      0001 - <SPACES/NULS>


The <SPACES/NULS> doesn't look good to me.  If I just insert an empty 
SET into the CertificationRequestInfo I get a valid PKCS10 request and I 
get a cert back from the CA but it has no key usage extension on it.



I read through a copy of the PKCS10 spec but It didn't mean a whole lot 
to me.  It speaks about the extensionRequest attribute from PKCS9 which 
I also looked through and again, got lost.


Does anyone know how to properly add the keyUsage to the request?

Thanks,
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to