I'm writing a DER parser for certificate requests in .net. I based myself on the RFC 2986 which described most of the content of the request with ASN.1 modules.
However, it don't define how is structured the extensionRequest (oid 1.2.840.113549.1.9.14). I've searched high and low but I'm not able to find another rfc or publicly available documentation which describe what structure it use, what types are expected, etc (ie, the ASN.1 module of the extensionRequest object and it's children)
Sample Der decoded :
SEQUENCE (3 elem)
SEQUENCE (4 elem)
INTEGER 0
SEQUENCE (14 elem)
SEQUENCE (2 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1)
NULL
BIT STRING (1120 bit) 001100001000000110001001000000101000000110000001000000001011111100011…
SEQUENCE (2 elem)
INTEGER (1024 bit) 134193393845175687447721541202995749257369077931432148182685911334902…
INTEGER 65537
[0] (4 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.3.6.1.4.1.311.13.2.3 osVersion (Microsoft attribute)
SET (1 elem)
IA5String 10.0.19042.2
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.3.6.1.4.1.311.21.20 requestClientInfo (Microsoft attribute)
SET (1 elem)
SEQUENCE (4 elem)
INTEGER 5
UTF8String EDITED
UTF8String EDITED\edited
UTF8String MMC.EXE
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.3.6.1.4.1.311.13.2.2 enrolmentCSP (Microsoft attribute)
SET (1 elem)
SEQUENCE (3 elem)
INTEGER 0
BMPString Microsoft Software Key Storage Provider
BIT STRING (0 bit)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
SET (1 elem)
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv This sequence vvvvvvvvvvvvvvvvvvvvvvvvv
SEQUENCE (2 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
OCTET STRING (153 byte) 308196A41430123110300E060355040B0C076469726E616D658204444E53318204444…
SEQUENCE (9 elem)
[4] (1 elem)
SEQUENCE (1 elem)
SET (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
UTF8String dirname
[2] (4 byte) DNS1
[2] (4 byte) DNS2
[1] (17 byte) othermail@mail.fr
[0] (2 elem)
OBJECT IDENTIFIER 1.3.6.1.4.1.311.25.1 ntdsReplication (Microsoft)
[0] (1 elem)
OCTET STRING (16 byte) ADC5FA58160E9F4ABB154A7DCEDC00A5
[7] (4 byte) 7F000002
[7] (16 byte) 00000000000000000000000000000001
[6] (3 byte) url
[0] (2 elem)
OBJECT IDENTIFIER 1.3.6.1.4.1.311.20.2.3 universalPrincipalName (Microsoft UPN)
[0] (1 elem)
UTF8String userprincipalname
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.29.14 subjectKeyIdentifier (X.509 extension)
OCTET STRING (20 byte) 87E201CF0B06CB290C98E7DF67796CF46AD9D507
OCTET STRING (20 byte) 87E201CF0B06CB290C98E7DF67796CF46AD9D507
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SEQUENCE (2 elem)
OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
NULL
BIT STRING (1024 bit) 101110000001101000110010011000110101111010001000011101110110001110000…
Do you know where I can find this info ?
Certificate extensions is an PKCS#9 request attribute. Specifically, extensionRequest attribute type is defined in RFC 2985 §5.4.2:
extensionRequest ATTRIBUTE ::= {
WITH SYNTAX ExtensionRequest
SINGLE VALUE TRUE
ID pkcs-9-at-extensionRequest
}
ExtensionRequest ::= Extensions
and in RFC 5280 Appendix A.1:
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains the DER encoding of an ASN.1 value
-- corresponding to the extension type identified
-- by extnID
}
simply, attribute value is a SEQUENCE OF Extension type.