[kmf-discuss] OIDs and Extensions
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Tue May 22 12:30:39 PDT 2007
Massimiliano Pala wrote:
> Wyllys Ingersoll wrote:
>> Darn it, the example is still not right.
>> The fact that the ASN.1 library (libkmfberder.so.1)
>> is not exposed makes it harder than I had thought.
>
> Yes it does, at least for me. I have to deal with custom extensions (and
> besides this, extensions are always increasing as well as OIDs, so I
> need for the CA project a way to encode extensions).
>
>> newextn.BERvalue.Data/Length need to refer to the
>> entire ASN.1 encoded octet stream for the entire extension.
>
> So , the second example (the first one I guess it is ok, right ?) is
> not right because I should DER encode the value and use that in the
> Data/Length fields, right ?
>
> I was thinking about the possibility to have a single function in KMF
> that would encode an extension provided the OID, type and value and
> value length.
>
> For example:
>
> KMF_NewExtension( KMF_EXTENSION *ext, char *OID);
> KMF_ExtensionAddValue( KMF_EXTENSION *ext, char *type,
> char *value, int len );
>
> where:
>
> OID can be a dotted notation, like "0.2.3.1.333.221", or a
> one of the recognized values, like "subjectAltName".
>
> type can be a dotted notation or one of the "DER" or "ASN1:ASN1_type",
> where ASN1_type could be OCTET_STRING, UTF8_String, INTEGER, etc...
>
> value is the value to be encoded in the extension
>
> len is the length of the value (before encoding)
>
>
> This would prevent the need to expose the ASN1 library, I guess.
>
> [...]
>> For a multi-part extension, I think as long as you
>> encode it correctly, KMF will add it just fine.
>
> I will try to come up with something and let you know... :)
This is a pretty good idea - mask the internals of how
we do the ASN.1 while providing a clean interface for adding new
extensions. As long as the extensions can be easily
encoded and don't require multiple tags/values, it should be fine.
A more complex structure would not fit so easily into this model,
though.
-Wyllys
More information about the kmf-discuss
mailing list