Adding an attribute in CSR generated using CertificateRequest class. #27417
Description
Hi,
I am using CertificateRequest class to generate CSR for an SCEP server. The CSR requires challengePassword attribute. I understand the attribute has to be added using CertificateExtensions property. Below is my code for the same.
public byte[] GeneratePkcs10(string challenge, string serial)
{
using (RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(2048))
{
string subject = "serialNumber=" + serial + ", OU=ABC Inc.";
var req = new System.Security.Cryptography.X509Certificates.CertificateRequest(subject,rsa,HashAlgorithmName.SHA256,RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(new System.Security.Cryptography.X509Certificates.X509Extension(new Oid("1.2.840.113549.1.9.7"), System.Text.Encoding.UTF8.GetBytes("password"), false)); //add challengePassword attribute
return req.CreateSigningRequest();
}
}I ran openssl asn1parse to see if attribute is added properly in CSR, below is the output of the command.
openssl asn1parse -in cert1.pem
0:d=0 hl=4 l= 663 cons: SEQUENCE
4:d=1 hl=4 l= 383 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 42 cons: SEQUENCE
13:d=3 hl=2 l= 22 cons: SET
15:d=4 hl=2 l= 20 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
22:d=5 hl=2 l= 13 prim: PRINTABLESTRING :ABC Inc.
37:d=3 hl=2 l= 16 cons: SET
39:d=4 hl=2 l= 14 cons: SEQUENCE
41:d=5 hl=2 l= 3 prim: OBJECT :serialNumber
46:d=5 hl=2 l= 7 prim: PRINTABLESTRING :1234567
55:d=2 hl=4 l= 290 cons: SEQUENCE
59:d=3 hl=2 l= 13 cons: SEQUENCE
61:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
72:d=4 hl=2 l= 0 prim: NULL
74:d=3 hl=4 l= 271 prim: BIT STRING
349:d=2 hl=2 l= 40 cons: cont [ 0 ]
351:d=3 hl=2 l= 38 cons: SEQUENCE
**353:d=4 hl=2 l= 9 prim: OBJECT :Extension Request**
364:d=4 hl=2 l= 25 cons: SET
366:d=5 hl=2 l= 23 cons: SEQUENCE
368:d=6 hl=2 l= 21 cons: SEQUENCE
370:d=7 hl=2 l= 9 prim: OBJECT :challengePassword
381:d=7 hl=2 l= 8 prim: OCTET STRING :password
391:d=1 hl=2 l= 13 cons: SEQUENCE
393:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
404:d=2 hl=2 l= 0 prim: NULL
406:d=1 hl=4 l= 257 prim: BIT STRING
Everything looks fine, except the highlighted object. The expected output should be as below:
0:d=0 hl=4 l= 667 cons: SEQUENCE
4:d=1 hl=4 l= 387 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=2 l= 51 cons: SEQUENCE
13:d=3 hl=2 l= 25 cons: SET
15:d=4 hl=2 l= 23 cons: SEQUENCE
17:d=5 hl=2 l= 3 prim: OBJECT :serialNumber
22:d=5 hl=2 l= 16 prim: PRINTABLESTRING :1234567
40:d=3 hl=2 l= 22 cons: SET
42:d=4 hl=2 l= 20 cons: SEQUENCE
44:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
49:d=5 hl=2 l= 13 prim: UTF8STRING :ABC Inc.
64:d=2 hl=4 l= 290 cons: SEQUENCE
68:d=3 hl=2 l= 13 cons: SEQUENCE
70:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
81:d=4 hl=2 l= 0 prim: NULL
83:d=3 hl=4 l= 271 prim: BIT STRING
358:d=2 hl=2 l= 35 cons: cont [ 0 ]
360:d=3 hl=2 l= 33 cons: SEQUENCE
362:d=4 hl=2 l= 9 prim: OBJECT :challengePassword
373:d=4 hl=2 l= 20 cons: SET
375:d=5 hl=2 l= 18 prim: PRINTABLESTRING :password
395:d=1 hl=2 l= 13 cons: SEQUENCE
397:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
408:d=2 hl=2 l= 0 prim: NULL
410:d=1 hl=4 l= 257 prim: BIT STRING
Server is failing to extract challengePassword because it's not finding it at expected position. My doubt is, is it right way to add an attribute in CSR request, or I am doing something wrong?