forge icon indicating copy to clipboard operation
forge copied to clipboard

Published 20 hours ago verified publisher icon digitalbazaar

Support for certificatePolicies x509 extension in creation

Open FGasper opened this issue 6 years ago • 9 comments

I’m creating “bogus” x509 certificates for testing using forge.js. (https://tlstest.site) I’d like to use the certificatePolicies extension to indicate a DV or OV certificate.

I noticed that, while the certificatePolicies OID is in oids.js, there’s no direct mechanism to create that extension as there is for, e.g., subjectAltName.

I know there’s more to the extension than just DV/OV, but this would be a useful feature to have.

In case it’s potentially useful, here is my code for generating an extension that indicates a DV certificate:

function _domain_validated() {
    const dv_oid = "2.23.140.1.2.1";

    const asn1 = forge.asn1;

    var extvalue = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);

    var extcontent = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, []);

    var oid = asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID,
        false, asn1.oidToDer(dv_oid).getBytes());

    extcontent.value.push(oid);
    extvalue.value.push(extcontent);

    return {
        name: 'certificatePolicies',
        value: extvalue,
    };
}

Thank you for maintaining this project!

FGasper avatar May 24 '19 01:05 FGasper

Hello @FGasper ,

Did you find a way ?

Thanks

fas3r avatar Jun 13 '19 22:06 fas3r

@fas3r: How do you mean? The code I pasted above indicates how to create enough of the extension to indicate DV.

FGasper avatar Jun 13 '19 22:06 FGasper

Hello @FGasper ,

Sorry I meant, did you find a way to add it in the certificate, I'm not sure to understand how to add the extension when creating the certificate x509.

Thanks by advance.

fas3r avatar Jun 14 '19 00:06 fas3r

Ah. Yes: look at the code in https://tlstest.site.

FGasper avatar Jun 14 '19 00:06 FGasper

Hello @FGasper ,

Thanks, it works great.

fas3r avatar Jun 14 '19 01:06 fas3r

Hello @FGasper ,

Do you know by any chance how to set the AuthorityInfoAccess Extension for OCSP ?

Thanks by advance for your help once again.

fas3r avatar Jun 14 '19 02:06 fas3r

Yes. Look at https://github.com/FGasper/p5-Crypt-Perl/blob/master/lib/Crypt/Perl/X509/Extension/authorityInfoAccess.pm (sorry … you’ll have to follow the inheritance), and translate that to how forge does the same manipulations.

FGasper avatar Jun 14 '19 02:06 FGasper

Hello @FGasper ,

You :rocket: , thanks

fas3r avatar Jun 14 '19 02:06 fas3r

I was also looking for this, since this is a requirement when generating certificates nowadays, and https://crt.sh/lintcert fails without it.

My full code for that extension is a bit simpler than the above, it looks like this:

const policyList = forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
    forge.asn1.create(forge.asn1.Class.UNIVERSAL, forge.asn1.Type.SEQUENCE, true, [
        forge.asn1.create(
            forge.asn1.Class.UNIVERSAL,
            forge.asn1.Type.OID,
            false,
            forge.asn1.oidToDer('2.23.140.1.2.1').getBytes() // DomainVerified
        )
    ])
]);

cert.setExtensions([
  // ...
  { name: 'certificatePolicies', value: policyList }
]);

Would be great to get more featureful support for certificatePolicies built-in to make this easier :+1:

pimterry avatar Jun 30 '22 12:06 pimterry