Subject name Generating Requests
10.3.1 Generating Requests
Recall that an X.509 certificate is a public key packaged with information about the certificate owner and issuer. Thus, to make a request, we must generate a public and private key on which well base our certificate. Well start our discussion assuming generation of the key pair has already been completed see Chapter 8 for details. An X.509 certificate request is represented by an X509_REQ object in OpenSSL. As we learned in Chapter 3 , a certificate requests main component is the public half of the key pair. It also contains a subjectName field and additional X.509 attributes. In reality, the attributes are optional parameters for the request, but the subject name should always be present. As well see, creating a certificate is not a very difficult task.10.3.1.1 Subject name
Before looking at an example, we need a little more background information on subject name manipulation with the API. The object type X509_NAME represents a certificate name. Specifically, a certificate request has only a subject name, while full certificates contain a subject name and an issuer name. The purpose of the name field is to fully identify an entity, whether it is a server, person, corporation, etc. To this end, a name field is composed of several entries for country name, organization name, and common name, just to name a few. Again, we can think of the fields in a name as keyvalue pairs; the key is the name of the field, and the value is its content. In theory, there can be arbitrary fields in a name, but in practice, a few standard ones are expected. In OpenSSL, fields are internally identified through an integer value known as the NID. All of this information rapidly becomes relevant when it comes time to build the subject name of our request. As weve already said, a certificate name is represented by an X509_NAME object. This object is essentially a collection of X509_NAME_ENTRY objects. Each X509_NAME_ENTRY object represents a single field and the corresponding value. Thus, our application needs to generate a X509_NAME_ENTRY object for each of the fields well put in the name of the certificate request. The process is simple. First, we look up the NID of the field we need to create. Using the NID, we create the X509_NAME_ENTRY object and add our data. The entry is added to the X509_NAME , and we repeat the process until all the desired fields are entered. After the name is fully assembled, we can add it to an X509_REQ object. OpenSSL provides many functions for manipulating X509_NAME and X509_NAME_ENTRY objects that enable us to perform the subject name assembly using many different methods. For instance, the function call X509_NAME_add_entry_by_txt automatically looks up the NID, creates the entry, and adds it to the X509_NAME . In the example below, we elected to show the explicit implementation instead of demonstrating the kinds of operations that are available.10.3.1.2 X.509 Version 3 extensions
Parts
» Network Security With OpenSSL 2002
» Goals of Cryptography Cryptography for the Rest of Us
» Symmetric key encryption Cryptographic Algorithms
» Public key encryption Cryptographic Algorithms
» Cryptographic hash functions and Message Authentication Codes
» Overview of SSL Introduction
» Cryptographic acceleration hardware Load balancing
» Bad Server Credentials Problems with SSL
» Certificate Validation Problems with SSL
» Poor Entropy Problems with SSL
» Insecure Cryptography Problems with SSL
» Other Transport Layer Protocols Non-Repudiation Protection Against Software Flaws
» Server-Side Proxies Securing Third-Party Software
» Client-Side Proxies Securing Third-Party Software
» Configuration Files The Basics
» Passwords and Passphrases Command-Line Interface
» Seeding the Pseudorandom Number Generator
» Private Certification Authorities Public Certification Authorities
» Certificate Revocation Lists Certificates
» Online Certificate Status Protocol
» Personal Certificates Obtaining a Certificate
» Code-Signing Certificates Obtaining a Certificate
» Web Site Certificates Obtaining a Certificate
» Creating an Environment for Your Certification Authority
» Building an OpenSSL Configuration File
» Creating a Self-Signed Root Certificate
» Revoking Certificates Setting Up a Certification Authority
» Static Locking Callbacks Multithread Support
» Dynamic Locking Callbacks Multithread Support
» Manipulating Error Queues Internal Error Handling
» Human-Readable Error Messages Internal Error Handling
» Threading and Practical Applications
» Memory sourcessinks File sourcessinks
» Socket sourcessinks SourceSink BIOs
» Filter BIOs Abstract InputOutput
» Seeding the PRNG Random Number Generation
» Using an Alternate Entropy Source
» The Basics Arbitrary Precision Math
» Mathematical Operations Arbitrary Precision Math
» Generating Prime Numbers Arbitrary Precision Math
» Using Engines Support Infrastructure
» Background Step 1: SSL Version Selection and Certificate Preparation
» Certificate preparation Step 1: SSL Version Selection and Certificate Preparation
» Our example extended Step 1: SSL Version Selection and Certificate Preparation
» Background Incorporating trusted certificates
» Certificate verification Step 2: Peer Authentication
» Incorporating certificate revocation lists
» Post-connection assertions Step 2: Peer Authentication
» Further extension of the examples
» Setting SSL options Step 3: SSL Options and Cipher Suites
» Ephemeral keying Step 3: SSL Options and Cipher Suites
» Cipher suite selection Step 3: SSL Options and Cipher Suites
» The final product Step 3: SSL Options and Cipher Suites
» Beyond the example Step 3: SSL Options and Cipher Suites
» Client-side SSL sessions SSL Session Caching
» Server-side SSL sessions SSL Session Caching
» An on-disk, session caching framework
» Reading and writing functions
» Blocking IO IO on SSL Connections
» Non-blocking IO IO on SSL Connections
» Implementing renegotiations IO on SSL Connections
» Renegotiations in 0.9.7 IO on SSL Connections
» Further notes IO on SSL Connections
» Block Ciphers and Stream Ciphers
» AES Blowfish CAST5 Available Ciphers
» IDEA RC2™ RC4™ Available Ciphers
» Initializing Symmetric Ciphers Encrypting with the EVP API
» Specifying Key Length and Other Options
» Encryption Encrypting with the EVP API
» Decryption Encrypting with the EVP API
» Handling UDP Traffic with Counter Mode
» General Recommendations Symmetric Cryptography
» Secure HTTP Cookies Hashes and MACs
» When to Use Public Key Cryptography
» Generating and Exchanging Parameters
» Computing Shared Secrets Diffie-Hellman
» The Basics Digital Signature Algorithm DSA
» Generating Parameters and Keys
» Signing and Verifying Digital Signature Algorithm DSA
» Data Encryption, Key Agreement, and Key Transport
» Signing and Verifying The EVP Public Key Interface
» Encrypting and Decrypting The EVP Public Key Interface
» Writing and Reading DER-Encoded Objects
» Writing and Reading PEM-Encoded Objects
» Net::SSLeay Variables Net::SSLeay for Perl
» Net::SSLeay Error Handling Net::SSLeay Utility Functions
» Net::SSLeay Low-Level Bindings
» M2Crypto.SSL High-Level Classes
» Miscellaneous crypto High-Level Classes
» Extensions to httplib: httpslib
» Extensions to urllib: m2urllib Extensions to xmlrpclib: m2xmlrpclib
» General Functions OpenSSL Support in PHP
» Certificate Functions OpenSSL Support in PHP
» Encryption and Signing Functions
» PKCS7 SMIME Functions OpenSSL Support in PHP
» Object Stacks Advanced Programming Topics
» Configuration Files Advanced Programming Topics
» Subject name Generating Requests
» X.509 Version 3 extensions Putting it all together
» X.509 Certificate Checking X.509
» Signing and Verifying PKCS7 and SMIME
» Encrypting and Decrypting PKCS7 and SMIME
Show more