New X.509 Certificate Extension APIs in wolfSSL and wolfSSL JNI

    • wolfSSL now adds new public X.509 certificate-generation APIs for key identifiers, CRL distribution points, and Netscape certificate type handling. wolfSSL JNI builds on top of these APIs and now exposes matching Java methods in WolfSSLCertificate. New public wolfSSL APIs (C)

    • int wolfSSL_X509_set_subject_key_id(WOLFSSL_X509* x509, const unsigned char* skid, int skidSz);
    • int wolfSSL_X509_set_subject_key_id_ex(WOLFSSL_X509* x509);
    • int wolfSSL_X509_set_authority_key_id(WOLFSSL_X509* x509, const unsigned char* akid, int akidSz);
    • int wolfSSL_X509_set_authority_key_id_ex(WOLFSSL_X509* x509, WOLFSSL_X509* issuer);
    • int wolfSSL_X509_set_ns_cert_type(WOLFSSL_X509* x509, int nsCertType);
    • int wolfSSL_X509_CRL_set_dist_points(WOLFSSL_X509* x509, const unsigned char* der, int derSz);
    • int wolfSSL_X509_CRL_add_dist_point(WOLFSSL_X509* x509, const char* uri, int critical);

    Certificate signing continues to use:

    • int wolfSSL_X509_sign(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey, const WOLFSSL_EVP_MD* md);

    Brief C usage example

    WOLFSSL_X509* cert = wolfSSL_X509_new();
WOLFSSL_X509* issuer = /* loaded issuer cert */;
WOLFSSL_EVP_PKEY* caKey = /* loaded CA key */;

/* set subject, issuer, validity, serial, and public key first */

wolfSSL_X509_set_subject_key_id_ex(cert);
wolfSSL_X509_set_authority_key_id_ex(cert, issuer);
wolfSSL_X509_set_ns_cert_type(cert, WC_NS_SSL_SERVER);
wolfSSL_X509_CRL_add_dist_point(cert, "http://crl.example.com/ca.crl", 0);

wolfSSL_X509_sign(cert, caKey, wolfSSL_EVP_sha256());

    wolfSSL Java methods

    Corresponding public wolfSSL JNI Java methods (WolfSSLCertificate)

    • public void setSubjectKeyId(byte[] skid)
    • public void setSubjectKeyIdEx()
    • public void setAuthorityKeyId(byte[] akid)
    • public void setAuthorityKeyIdEx(WolfSSLCertificate issuer)
    • public void setCrlDistPoints(byte[] der)
    • public void addCrlDistPoint(String uri, boolean critical)
    • public void setNsCertType(int nsCertType)
    • public void addAltNameIP(String ipAddress)

    Signing remains:

    • public void sign(byte[] key, int keyType, int format, String digestAlg)

    Quick Java snippet

    
WolfSSLCertificate cert = new WolfSSLCertificate();
WolfSSLCertificate issuer = new WolfSSLCertificate(caCertPem, WolfSSL.SSL_FILETYPE_PEM);

/* set subject, issuer name, serial, validity, and public key first */

cert.setSubjectKeyIdEx();
cert.setAuthorityKeyIdEx(issuer);
cert.addCrlDistPoint("http://crl.example.com/ca.crl", false);
cert.setNsCertType(0x80); // example bitmask
cert.addAltNameIP("192.168.1.10");

cert.sign(caKeyBytes, WolfSSL.RSAk, WolfSSL.SSL_FILETYPE_PEM, "SHA256");

    What this enables

    Applications can now build richer X.509 certificates directly in wolfSSL and wolfSSL JNI with first-class SKID, AKID, CRL distribution point, and Netscape certificate type support, all in the same in-memory generation flow.

    Questions?

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now