Topic: [SOLVED] How to set subject alternative by wolfSSL API?

Hi,
In my C++ project, I have used API functions to create a new RSAKey and write the private key into a pem file. And then I call API wc_MakeSelfCert to create new certificate files. But I really want to know how I can set the Subject Alternative Name property in the Details tab of der certficate. I don't know how to configure member altNames in class Cert.
PS I don't have any generated key files to be used to read the properties and I have to write my own string into the certificate files.
The Subject Alternative Name looks like below:
URL=urn: ... ...(This line is required.)
DNS Name= ... ...(This line is required.)
IP Address= ... ... (This line is optional.)

Thank you in advance.

Share

Re: [SOLVED] How to set subject alternative by wolfSSL API?

Hi Alfred,

Thank you for reaching out to wolfSSL with these questions. Can you tell us a bit about the project you are working on and which team you are with? (We support a few teams from your organization at varying support levels and want to make sure you receive the appropriate support level based on your team affiliation).

The cert structure is defined for end-user applications that include <wolfssl/wolfcrypt/settings.h> (and <wolfssl/options.h> if applicable) and the header <wolfssl/wolfcrypt/asn_public.h>. (See below). Note the comment "For user to fill for cert generation".

258 /* for user to fill for certificate generation */                                
259 typedef struct Cert {                                                            
260     int      version;                   /* x509 version  */                      
261     byte     serial[CTC_SERIAL_SIZE];   /* serial number */                      
262     int      serialSz;                  /* serial size */                        
263     int      sigType;                   /* signature algo type */                
264     CertName issuer;                    /* issuer info */                        
265     int      daysValid;                 /* validity days */                      
266     int      selfSigned;                /* self signed flag */                   
267     CertName subject;                   /* subject info */                       
268     int      isCA;                      /* is this going to be a CA */           
269     /* internal use only */ 
270     int      bodySz;                    /* pre sign total size */                
271     int      keyType;                   /* public key type of subject */         
272 #ifdef WOLFSSL_ALT_NAMES                                                         
273     byte     altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */                     
274     int      altNamesSz;                 /* altNames size in bytes */            
275     byte     beforeDate[CTC_DATE_SIZE];  /* before date copy */                  
276     int      beforeDateSz;               /* size of copy */                      
277     byte     afterDate[CTC_DATE_SIZE];   /* after date copy */                   
278     int      afterDateSz;                /* size of copy */                      
279 #endif                                                                           
280 #ifdef WOLFSSL_CERT_EXT                                                          
281     byte    skid[CTC_MAX_SKID_SIZE];     /* Subject Key Identifier */            
282     int     skidSz;                      /* SKID size in bytes */                
283     byte    akid[CTC_MAX_AKID_SIZE];     /* Authority Key Identifier */          
284     int     akidSz;                      /* AKID size in bytes */                
285     word16  keyUsage;                    /* Key Usage */                         
286     byte    extKeyUsage;                 /* Extended Key Usage */                
287 #ifdef WOLFSSL_EKU_OID                                                           
288     /* Extended Key Usage OIDs */                                                
289     byte    extKeyUsageOID[CTC_MAX_EKU_NB][CTC_MAX_EKU_OID_SZ];                  
290     byte    extKeyUsageOIDSz[CTC_MAX_EKU_NB];                                    
291 #endif                                                                           
292     char    certPolicies[CTC_MAX_CERTPOL_NB][CTC_MAX_CERTPOL_SZ];                
293     word16  certPoliciesNb;              /* Number of Cert Policy */             
294     byte     issRaw[sizeof(CertName)];   /* raw issuer info */                   
295     byte     sbjRaw[sizeof(CertName)];   /* raw subject info */                  
296 #endif                                                                           
297 #ifdef WOLFSSL_CERT_REQ                                                          
298     char     challengePw[CTC_NAME_SIZE];                                         
299 #endif                                                                           
300     void*   decodedCert;    /* internal DecodedCert allocated from heap */       
301     byte*   der;            /* Pointer to buffer of current DecodedCert cache */ 
302     void*   heap;           /* heap hint */                                      
303 } Cert;

You can set the altNames with:

Cert* myCert;
char myAltNames[] = "some string describing your alt name(s)";

...

myCert.altNames = myAltNames;
myCert.alNameSz = XSTRLEN(myAltNames);

Regards,

KH

3 (edited by Alfred Zhou 2019-07-02 00:33:39)

Re: [SOLVED] How to set subject alternative by wolfSSL API?

Hi Kaleb,

Thank you for your quick response. It is only an investigation on a prototype. I have to create certificate files. I have set altNames with code below:

Cert myCert;
char myAltNames[] = "URL=urn: ... ... \r\nDNS Name= ... ...";
XMEMCPY(myCert.altNames, myAltNames, XSTRLEN(myAltNames));
myCert.alNameSz = XSTRLEN(myAltNames);

But the der file cannot be opened correctly with a message "The file is invalid for use as the following: Security Certificate.".
Without these code, the certificate file can be opened. I think the altNames might have its format. It doesn't accept custom strings.

Thanks,
Alfred

Share

Re: [SOLVED] How to set subject alternative by wolfSSL API?

@Alfred,

Thanks for the project notes, I'll see if I can find an example today to send you, if not I'll try to put together a brief example.

Cheers,

KH

Re: [SOLVED] How to set subject alternative by wolfSSL API?

Hi @Alfred,

Here is a quick test I ran today ( I can't find another example and we don't have an API for it unfortunately):

         char myAltNames[] = {
                                 // SEQUENCE (2 elements)
                                 0x30, 0x14,
                                 // OBJECT IDENTIFIEER: 2.5.29.17 subjectAltName
                                 // (X.509 extension)
                                 0x06, 0x03, 0x55, 0x1D, 0x11,
                                 // OCTET STRING (1 element)
                                 0x04, 0x0D, //NOTE: 0x0D = length 13, this needs updated based on string length
                                 // SEQUENCE (1 element)
                                 0x30, 0x0B,
                                 // String, value: "DNS:localhost"
                                 0x82, 0x09, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68,
                                 0x6F, 0x73, 0x74
                             };                                                   
         XMEMCPY(myCert->altNames, myAltNames, XSTRLEN(myAltNames));              
         myCert->altNamesSz = (int) sizeof(myAltNames);                           
     } 

- KH

Re: [SOLVED] How to set subject alternative by wolfSSL API?

Hi Kaleb,

Really appreciate your quick response. I have written my own OCTET string in altNames and it works.

Thank you very much and Best Regards,
Alfred

Share

Re: [SOLVED] How to set subject alternative by wolfSSL API?

Alfred,

It was my pleasure! Thank you for contacting wolfSSL and we look forward to hearing from you in the future should anything else come up. You can also reach or support team at support@wolfssl.com or through our zendesk portal at https://wolfssl.zendesk.com

Warm Regards,

KH