RFC - support for subjectUniqueID and issuerUniqueID

Simon Josefsson simon at josefsson.org
Wed Aug 11 13:31:58 CEST 2010


Brad Hards <bradh at frogmouth.net> writes:

> Hi,
>
> During investigation into some windows protocols, we've found that windows 
> servers create certificates that make use of the subjectUniqueID and 
> issuerUniqueID fields. They seem to contain GUID values.
>
> The attached patch (which I'm looking for feedback on, not to be applied at 
> this stage) allows fetching / display of those fields. I have a second patch 
> for setting / writing those fields, but I haven't tested it yet. A sample 
> certificate is also attached.
>
> I recognise that they aren't normally used (and are deprecated), but for 
> interop purposes, I'd like to be able to access them if necessary.
>
> Thoughts and comments?

Generally, I think we should have an API to extract arbitrary extensions
instead of adding new APIs for each and every strange extension.  I
think we already have these APIs though?

I don't see any extensions in your certificate though?  So I'm not sure
exactly what fields you are talking about.

/Simon

jas at mocca:~$ dumpasn1 cert
   0  768: SEQUENCE {
   4  492:   SEQUENCE {
   8    3:     [0] {
  10    1:       INTEGER 2
         :       }
  13   16:     INTEGER BD 76 DF 42 47 0A 00 8D 47 3E 74 3F A1 DC 8B BD
         :       Error: Integer has a negative value.
  31    9:     SEQUENCE {
  33    5:       OBJECT IDENTIFIER sha-1WithRSAEncryption (1 3 14 3 2 29)
  40    0:       NULL
         :       }
  42   45:     SEQUENCE {
  44   43:       SET {
  46   41:         SEQUENCE {
  48    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
  53   34:           PrintableString 'w.2.k.8.r.2...m.a.t.w.s...n.e.t...'
         :             Error: PrintableString contains illegal character(s).
         :           }
         :         }
         :       }
  89   30:     SEQUENCE {
  91   13:       UTCTime 28/04/2010 11:41:54 GMT
 106   13:       UTCTime 28/04/2011 11:41:54 GMT
         :       }
 121   45:     SEQUENCE {
 123   43:       SET {
 125   41:         SEQUENCE {
 127    3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 132   34:           PrintableString 'w.2.k.8.r.2...m.a.t.w.s...n.e.t...'
         :             Error: PrintableString contains illegal character(s).
         :           }
         :         }
         :       }
 168  290:     SEQUENCE {
 172   13:       SEQUENCE {
 174    9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
 185    0:         NULL
         :         }
 187  271:       BIT STRING, encapsulates {
 192  266:         SEQUENCE {
 196  257:           INTEGER
         :             00 AA D7 32 26 D7 FC 69 57 4A 55 08 2B 97 C1 5B
         :             90 FD E8 F5 F7 9E 7D 34 CE E9 BB 38 A0 9F EC 84
         :             86 3E 47 2E 71 D7 C3 BF 89 F3 80 B5 77 80 D3 B0
         :             56 6B 9C F4 D3 42 2B 26 01 5C 42 EF F6 51 5A AA
         :             55 6B 30 D3 2C DC DE 36 4D DD F3 5F 59 BA 57 D8
         :             39 0F 5B D3 E1 34 39 22 AA 71 10 59 7A EC 9F 1A
         :             F5 A9 40 D6 7B 32 5F 19 85 C0 FD A6 6C 32 58 DC
         :             7C 07 42 36 D0 57 78 63 60 92 1D 1F 9D BD CC D7
         :                     [ Another 129 bytes skipped ]
 457    3:           INTEGER 65537
         :           }
         :         }
         :       }
 462   17:     [1] 00 BD 8B DC A1 3F 74 3E 47 8D 00 0A 47 42 DF 76 BD
 481   17:     [2] 00 BD 8B DC A1 3F 74 3E 47 8D 00 0A 47 42 DF 76 BD
         :     }
 500    9:   SEQUENCE {
 502    5:     OBJECT IDENTIFIER sha-1WithRSAEncryption (1 3 14 3 2 29)
 509    0:     NULL
         :     }
 511  257:   BIT STRING
         :     A7 B0 66 75 14 7E 7D B5 31 EC B2 EB 90 80 95 25
         :     59 0F E4 15 86 2D 9D D7 35 E9 22 74 E7 85 36 19
         :     4F 27 5C 17 63 7B 2A FE 59 E9 76 77 D0 C9 40 78
         :     7C 31 62 1E 87 1B C1 19 EF 6F 15 E6 CE 74 84 6D
         :     D6 3B 57 D9 A9 13 F6 7D 84 E7 8F C6 01 5F CF C4
         :     95 C9 DE 97 17 43 12 70 27 F9 C4 D7 E1 05 BB 63
         :     87 5F DC 20 BD D1 DE D6 2D 9F 3F 5D 0A 27 40 11
         :     5F 5D 54 A7 28 F9 03 2E 84 8D 48 60 A1 71 A3 46
         :             [ Another 128 bytes skipped ]
         :   }

0 warnings, 3 errors.
jas at mocca:~$ 




More information about the Gnutls-devel mailing list