Topic: SubjectAltName->GeneralName->Othername->id-on-hardwareModuleName

There is a request to implement SubjectAltName using:

    GeneralName->Othername->id-on-hardwareModuleName

the id-on-hardwareModuleName defined in RFC4108.

I try to find if any existing code could used for this purpose, but seems not supported yet. May I know how we implement these extend fields?

Share

Re: SubjectAltName->GeneralName->Othername->id-on-hardwareModuleName

Hi,

We don't currently support this functionality, but will add it to our desired feature list.

Our current AltName processing takes place in the CheckAltNames(), located in <cyassl_root>/src/internal.c.

Do you mind if I ask what kind of project you are working on?

Best Regards,
Chris

Re: SubjectAltName->GeneralName->Othername->id-on-hardwareModuleName

Thanks Chris,

I saw it seems implement the parser when I activate CYASSL_SEP flag.
May I know if any direction you can provide for our reference?
I am trying to use setAltNameBuffer to put this ASN1 content into our certificate, is it possible?

I am working on an smart metering related project so far.

Share

Re: SubjectAltName->GeneralName->Othername->id-on-hardwareModuleName

Hi,

We originally wrote SetAltNamesBuffer() for an application where we needed to copy altNames from an existing certificate over to a new one.  It is set up to take a raw DER-encoded buffer, as you would find in an existing cert.

It would take a little exploration if that would work in your case or not.  It sounds like you are trying to generate certificates here, whereas your first question dealt with verifying them.  Is that correct?

Thanks,
Chris

Re: SubjectAltName->GeneralName->Othername->id-on-hardwareModuleName

Thanks Chris,

I added an CSR within SubjectAltName, however I cannot found an existing API to load CSR and then signing, then generate Certificate... I will post here if any progress, thanks your reply.

Eason

Share

Re: SubjectAltName->GeneralName->Othername->id-on-hardwareModuleName

Hi Eason,

To generate a CSR with wolfSSL, you'll need to define WOLFSSL_CERT_REQ, which will make the wc_MakeCertReq() function available.  Example usage can be found in <wolfssl_root>/wolfcrypt/test/test.c in the rsa_test() function.

Best Regards,
Chris

Re: SubjectAltName->GeneralName->Othername->id-on-hardwareModuleName

Thanks you help, we have aware this already, the only one problem we faced is to customize extension fields I mentioned in CSR.
Per mentioned, we are using an external ASN1 structure to wrap the content we want, then put in to othername field.
It generates success, I exported as PEM format FYI.

-----BEGIN CERTIFICATE REQUEST-----
MIIBDDCBsQIBAjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESeSvET2DW59/
atbDacUc5HVPHDjfxChG7fIo0Ec/BSQrGlVAEY1f6BJBTSwhzYU9+M3dpzd2oJdo
QHXaPYtHIKBPME0GCSqGSIb3DQEJDjFAMD4wCwYDVR0PBAQDAgMIMC8GA1UdEQQo
MCagJAYIKwYBBQUHCASgGDAWBgorBgEEAQ8CAQEABAj//////////zAMBggqhkjO
PQQDAgUAA0gAMEUCIQC5zturfO08fFGuj0EdauFFfvHLsekoJqju9aw6cX4CZAIg
IhsLmbsLCudIp8jReG+kIYY5fOygTFUiOT3ue9ZmjHI=
-----END CERTIFICATE REQUEST-----

Also, to demonstrate our idea is correct, we also use openssl to verify our modification. The original openssl didn't supported othername, so we have a light modify in openssl, to parser HEX data in othername field. Fortunately, it works.

Thanks all the valuable input from you, we are moving to next step now -- to have a signed certificates based on this CSR.

Share