David Stutzman wrote:
> I'm building the SET of Attributes now using the following code:
> SET attributeSet = new SET();
> byte[] keyUsageByte = new byte[1];
> keyUsageByte[0] = 0x80 & 0x40; //digital signature and non repudiation
Well, of course, 0x80 & 0x40 == 0. I think you meant 0x80 | 0x40.
> When I send off the request to the RedHat CA (which you guys tell me is
> underpinned heavily by JSS) I get "Missing or malformed KeyGen, PKCS #10
> or CRMF request."
>
> Using openssl asn1parse, here's the keyusage part:
> 310:d=3 hl=2 l= 10 cons: SEQUENCE
> 312:d=4 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
> 317:d=4 hl=2 l= 3 cons: SET
> 319:d=5 hl=2 l= 1 prim: OCTET STRING
> 0001 - <SPACES/NULS>
>
> The <SPACES/NULS> doesn't look good to me.
I used this command to generate a CSR with a key usage extension:
certutil -R -d DB -s CN=David.Stutzman -1 -o /tmp/CSRdavid
Then I dumped it with dumpasn1 -hh. Here's what I got:
> <30 82 01 76 30 81 E0 02 01 00 30 19 31 17 30 15 06 03 55 04 03 13 0E 44>
> 0 374: SEQUENCE {
> <30 81 E0 02 01 00 30 19 31 17 30 15 06 03 55 04 03 13 0E 44 61 76 69 64>
> 4 224: SEQUENCE {
> <02 01 00>
> 7 1: INTEGER 0
> <30 19 31 17 30 15 06 03 55 04 03 13 0E 44 61 76 69 64 2E 53 74 75 74 7A>
> 10 25: SEQUENCE {
> <31 17 30 15 06 03 55 04 03 13 0E 44 61 76 69 64 2E 53 74 75 74 7A 6D 61>
> 12 23: SET {
> <30 15 06 03 55 04 03 13 0E 44 61 76 69 64 2E 53 74 75 74 7A 6D 61 6E>
> 14 21: SEQUENCE {
> <06 03 55 04 03>
> 16 3: OBJECT IDENTIFIER '2 5 4 3'
> <13 0E 44 61 76 69 64 2E 53 74 75 74 7A 6D 61 6E>
> 21 14: PrintableString 'David.Stutzman'
> : }
> : }
> : }
> <30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81>
> 37 159: SEQUENCE {
> <30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00>
> 40 13: SEQUENCE {
> <06 09 2A 86 48 86 F7 0D 01 01 01>
> 42 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 1'
> <05 00>
> 53 0: NULL
> : }
> <03 81 8D 00 30 81 89 02 81 81 00 BD 57 B0 44 6B 60 63 62 53 DD 75 F3 8E>
> 55 141: BIT STRING, encapsulates {
> <30 81 89 02 81 81 00 BD 57 B0 44 6B 60 63 62 53 DD 75 F3 8E D3 15 96 65>
> 59 137: SEQUENCE {
> <02 81 81 00 BD 57 B0 44 6B 60 63 62 53 DD 75 F3 8E D3 15 96 65 F1 F8 76>
> 62 129: INTEGER
> : 00 BD 57 B0 44 6B 60 63 62 53 DD 75 F3 8E D3 15
> : 96 65 F1 F8 76 33 2C C2 30 5E 1E 6F B2 C2 0E F1
> : 3F 14 2C 21 22 5E 5D 85 8B 6D 70 C4 2B D4 7A 5B
> : 1B 64 09 91 35 54 A4 66 7E DA E2 8B 02 2D 40 38
> : C5 53 F2 14 A1 92 C8 4C 5E A3 60 B8 D2 21 48 D0
> : 47 1D 30 1A A8 00 46 F3 9A 23 FA FE 73 CF 16 B7
> : 29 02 BF D6 CC BA 09 21 AC 82 A2 38 09 F6 20 E8
> : CE 1C 28 49 F5 F4 2C 11 2C 8C 6C 18 AF 1D 2C C3
> : [ Another 1 bytes skipped ]
> <02 03 01 00 01>
> 194 3: INTEGER 65537
> : }
> : }
> : }
> <A0 1E 30 1C 06 09 2A 86 48 86 F7 0D 01 09 0E 31 0F 30 0D 30 0B 06 03 55>
> 199 30: [0] {
> <30 1C 06 09 2A 86 48 86 F7 0D 01 09 0E 31 0F 30 0D 30 0B 06 03 55 1D 0F>
> 201 28: SEQUENCE {
> <06 09 2A 86 48 86 F7 0D 01 09 0E>
> 203 9: OBJECT IDENTIFIER '1 2 840 113549 1 9 14'
> <31 0F 30 0D 30 0B 06 03 55 1D 0F 04 04 03 02 06 C0>
> 214 15: SET {
> <30 0D 30 0B 06 03 55 1D 0F 04 04 03 02 06 C0>
> 216 13: SEQUENCE {
> <30 0B 06 03 55 1D 0F 04 04 03 02 06 C0>
> 218 11: SEQUENCE {
> <06 03 55 1D 0F>
> 220 3: OBJECT IDENTIFIER '2 5 29 15'
> <04 04 03 02 06 C0>
> 225 4: OCTET STRING, encapsulates {
> <03 02 06 C0>
> 227 2: BIT STRING 6 unused bits
> : '11'B
> : }
> : }
> : }
> : }
> : }
> : }
> : }
> <30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00>
> 231 13: SEQUENCE {
> <06 09 2A 86 48 86 F7 0D 01 01 05>
> 233 9: OBJECT IDENTIFIER '1 2 840 113549 1 1 5'
> <05 00>
> 244 0: NULL
> : }
> <03 81 81 00 53 27 A1 18 BF 64 6E EF F4 B1 CF FF 7D 1D 6E 16 5E 83 BB DF>
> 246 129: BIT STRING
> : 53 27 A1 18 BF 64 6E EF F4 B1 CF FF 7D 1D 6E 16
> : 5E 83 BB DF 27 D4 0A B1 CF C3 2D 26 7D DE 9A 83
> : BD 2C 07 F3 6B 0D 1C 66 D1 F9 7B CC 08 85 78 FA
> : 5D 20 54 8F 00 15 24 BF 41 47 03 CE 34 DC 06 B0
> : 0E 42 13 94 87 26 4D 3A 1F 45 AC 4D 9C 0F 19 D8
> : 61 43 A3 BA 9E E6 8C 4C C6 7F 72 49 1C 25 DC F9
> : 33 C4 3A B8 A6 25 DF 49 17 0D 34 BC F9 E1 31 19
> : 45 D6 56 41 24 7C 15 52 DF B1 1A 5B C8 82 01 C4
> : }
>
> 0 warnings, 0 errors.
And I looked at the CSR with the NSS command
pp -t certificate-request < /tmp/CSRdavid
and got
> Certificate Request:
> Data:
> Version: 0 (0x0)
> Subject: "CN=David.Stutzman"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> bd:57:b0:44:6b:60:63:62:53:dd:75:f3:8e:d3:15:96:
> 65:f1:f8:76:33:2c:c2:30:5e:1e:6f:b2:c2:0e:f1:3f:
> 14:2c:21:22:5e:5d:85:8b:6d:70:c4:2b:d4:7a:5b:1b:
> 64:09:91:35:54:a4:66:7e:da:e2:8b:02:2d:40:38:c5:
> 53:f2:14:a1:92:c8:4c:5e:a3:60:b8:d2:21:48:d0:47:
> 1d:30:1a:a8:00:46:f3:9a:23:fa:fe:73:cf:16:b7:29:
> 02:bf:d6:cc:ba:09:21:ac:82:a2:38:09:f6:20:e8:ce:
> 1c:28:49:f5:f4:2c:11:2c:8c:6c:18:af:1d:2c:c3:97
> Exponent: 65537 (0x10001)
> Attribute Type: PKCS #9 Extension Request
> Extensions:
> Name: Certificate Key Usage
> Usages: Digital Signature
> Non-Repudiation
>
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Signature:
> 53:27:a1:18:bf:64:6e:ef:f4:b1:cf:ff:7d:1d:6e:16:
> 5e:83:bb:df:27:d4:0a:b1:cf:c3:2d:26:7d:de:9a:83:
> bd:2c:07:f3:6b:0d:1c:66:d1:f9:7b:cc:08:85:78:fa:
> 5d:20:54:8f:00:15:24:bf:41:47:03:ce:34:dc:06:b0:
> 0e:42:13:94:87:26:4d:3a:1f:45:ac:4d:9c:0f:19:d8:
> 61:43:a3:ba:9e:e6:8c:4c:c6:7f:72:49:1c:25:dc:f9:
> 33:c4:3a:b8:a6:25:df:49:17:0d:34:bc:f9:e1:31:19:
> 45:d6:56:41:24:7c:15:52:df:b1:1a:5b:c8:82:01:c4
> Fingerprint (MD5):
> 82:85:CE:B6:2A:98:8C:E7:31:40:64:4E:38:CC:AF:12
> Fingerprint (SHA1):
> 9F:3B:2C:26:9D:9F:3A:EB:E6:7A:2B:12:A9:B1:F7:00:FD:C2:ED:1F
Hope this helps.
--
Nelson B
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
