Help with setting Subject Alternate Name (SAN) in CSR

[Danny deSousa]

Hello,

I'm trying to coerce NDES to issue a certificate and I've been able to do this given some of the sample code that's on the site however I'm also trying to set a SAN on the certificate request and I'm struggling. I'm using JScep 2.0 and as a result BouncyCastle 1.47.

I also don't have a lot of experience using any crypto api(s) and I was hoping somebody can point me in the right direction. I've pasted a snippet of code with my attempt to set the SAN on the CSR.

Here it is:

    String dn = "DC=local, DC=dvam, CN=Users, CN=User Development";

    PKCS10CertificationRequestBuilder crb = new JcaPKCS10CertificationRequestBuilder( new X500Name( dn ), keyPair.getPublic() );

    crb.addAttribute(org.bouncycastle.asn1.x509.X509Extension.subjectAlternativeName, 

            new org.bouncycastle.asn1.DEROctetString( "email=dev...@dvam.local".getBytes() ) );

This runs however the certificate that I receive back has no SAN set. I've attempted to perform these operation a number of different other ways such as creating a vector of OIDs and values however I get the same result. No SAN set.

The NDES log shows this:

    2902.419.0:<2012/10/25, 14:21:52>: 0x80070057 (WIN32: 87)

    2905.4156.0:<2012/10/25, 14:21:52>: 0x80070057 (WIN32: 87)

    2905.3497.0:<2012/10/25, 14:21:52>: 0x80070057 (WIN32: 87)

The error message associated with the "WIN32: 87" code is "Invalid Parameter" and my though is that this is not an error but a warning and not from NDES but from the CA.

There is some configuration that's required like installing the NDES hotfix and enabling SAN, through certutil, on the CA however none of that has worked. Any help would be greatly appreciated.

One last thing that I want to mention which is when I do run my code I get this warning:

    "4270 [main] WARN org.jscep.message.PkiMessageDecoder - Unable to verify message because the signedData contained no certificates."

I'm not sure if that means anything in this context but I thought that I'd add that information regardless.

I also have no problem posting the code since I'm just prototyping the idea of using SCEP.

Thanks,

- Danny

[David Grant]

Hi Danny,

I'm afraid adding X.509 extensions isn't as easy as adding the
passphrase! Try replacing:

crb.addAttribute(org.bouncycastle.asn1.x509.X509Extension.subjectAlternativeName,
new org.bouncycastle.asn1.DEROctetString(
"email=dev...@dvam.local".getBytes() ) );

with:

--
GeneralNames subjectAltName = new GeneralNames(new
GeneralName(GeneralName.rfc822Name, "dev...@dvam.local"));

Vector oids = new Vector();
Vector values = new Vector();

oids.add(X509Extensions.SubjectAlternativeName);
values.add(new X509Extension(false, new DEROctetString(subjectAltName)));

X509Extensions extensions = new X509Extensions(oids, values);
crb.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new
DERSet(extensions));
--

Can you create a new issue to add this example to the documentation so
it's easier for others in the future please?

Dave

> --
>
>
>

[Danny deSousa]

Hi David,

Thanks for answering my post. I absolutely do intend to help with extending the documentation once I get this working!!! :-)

Unfortunately, the code, that you pasted, is not being accepted by the Windows CA. The event viewer is reporting a invalid ASN1 tag. I've tried variations of that code and each time I've received an error or the CA just simply ignored it.

I've pasted the exact error from the CA:

    "Active Directory Certificate Services could not process request 49 due to an error: ASN1 bad tag value met. 0x8009310b (ASN: 267).  The request was for DVAM\accmgr.  Additional information: Error Parsing Request"

There is a corresponding error message from NDES as well:

    "The Network Device Enrollment Service cannot submit the certificate request (ASN1 bad tag value met.).  0x80004005"

I've consulted the "Problem Analysis Machine", Google, but to no avail.

- Danny

[Ryan Schipper]

Sorry about the delay in providing this example Danny - my weekend went haywire.

PKCS10CertificationRequest p10request = null;

            try {

                JcaContentSignerBuilder csb = new JcaContentSignerBuilder("SHA1withRSA");

                ContentSigner cs = csb.build(keys.getPrivate());

                PKCS10CertificationRequestBuilder crb = new JcaPKCS10CertificationRequestBuilder(tbsCert.getSubjectX500Principal(), keys.getPublic());

                DERPrintableString password = new DERPrintableString(challengePwField.getText());

                crb.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password);

                ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();

                extensionsGenerator.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_eapOverLAN));

                crb.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());

                p10request = crb.build(cs);

                byte[] encodedP10 = p10request.getEncoded();

                FileOutputStream fos = new FileOutputStream("/Users/work/IdeaProjects/NDESClient-jscep2BETA/jscep.p10.der");

                fos.write(encodedP10);

            } catch (Exception e) {

                statusText.setText(statusText.getText() + "\nException: " + e);

                e.printStackTrace();

                return;

            }

--
 
 
 

[Ryan Schipper]

Bugger. Hit send too early.

The snippet I sent (quoted below) is exactly how I build requests for NDES.

Note the use of the org.bouncycastle.asn1.x509.ExtensionsGenerator factory. I'm generating an EKU extension here, but I see no reason that a SAN extension would not work in it's place.

As David suggested, if this works for you, would you mind posting your snippet as a documentation enhancement request.

-- Ryan 

[David Grant]

Thanks Ryan.  Your contributions are helpful as ever!

Sent from my iPad

--
 
 
 

[Danny deSousa]

Hey Ryan,

I've managed to get this to work.

Setting the SAN after looking at your example was straightforward but I was not only interested in setting a standard extension. I was also interested in setting the "othername" attribute. This attribute is key since I wanted to set the UPN (User Principal Name) which is important in getting a mobile device to work with NDES.

            org.bouncycastle.asn1.x509.ExtensionsGenerator extensionsGenerator = new org.bouncycastle.asn1.x509.ExtensionsGenerator();

            

            ASN1EncodableVector vec = new ASN1EncodableVector(); 

            ASN1EncodableVector v = new ASN1EncodableVector(); 

            v.add(new DERObjectIdentifier("1.3.6.1.4.1.311.20.2.3")); 

            v.add(new DERTaggedObject(true, 0, new DERUTF8String( "dev...@dvam.local") ) ); 

            

            ASN1Object gn = new DERTaggedObject(false, 0, new DERSequence(v) ); 

            vec.add(gn);             

            

            extensionsGenerator.addExtension( Extension.subjectAlternativeName, true, new DERSequence(vec) );

            crb.addAttribute( PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate() );

One of the frustrations that I was having was that "GeneralName.otherName" constant appears to not be supported in BouncyCastle 1.47. In fact, I would say that BouncyCastle, in general, was a frustrating experience. There appears to be many, many different ways in accomplishing the same thing.

Thanks for the help. I'll file a documentation request and add this snippet.

- Danny

[David Grant]

I've added both examples to the project manual on the master branch:

https://github.com/seize-the-dave/jscep/commit/86ae20dbeca350d62f01f9f733c34ef0cd594cce

Latest manual on CI server:

https://jscep.ci.cloudbees.com/job/jscep/site/client.html#Extensions

Thanks for raising the issue, and to both of you for helping to improve the project.

Dave

--