adding certificate policies extension in CSR

Question

I am trying to add a "certificate policies" extension in CSR using openssl (version 1.0.1.e).

1. Is the certificate requester allowed to deal with certificate policies or only CA should do it?

2. Based on function mkreq() in file openssl/demos/x509/openssl/demos/x509/mkreq.c, I added the following line:

    add_ext(exts, NID_certificate_policies, "1.3.6.1");
   

Unfortunately it leads to a segmentation fault. Is the syntax correct? Any clue what is wrong?

Answer 1

1. Yes, certificate requester is allowed to insert certificate policy or any other extension. But the Certificate Authority might validate the request or reject it.

2. Per default the openssl configuration file, openssl.cnf, includes the following setting for CRS extension:

   [ v3_req ]
   
   # Extensions to add to a certificate request
   
   basicConstraints = CA:FALSE
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment 
   

In order to support certificate_policies extension, "certificatePolicies" settings have to be added in this section.

Answer 2

Solved add_ext contains call to function

X509V3_EXT_conf_nid(NULL, NULL, nid, (char *)value);

The Context argument is NULL, if you rewrite this function with context, and your segfault will be fixed. f.example

int add_ext_by_name(STACK_OF(X509_EXTENSION) *sk, const char *name, const char *value)
{
    X509_EXTENSION *ex;
    X509V3_CTX ctx;
    X509V3_set_ctx_test(&ctx);
    ex = X509V3_EXT_nconf(NULL, &ctx, name, value);
    if (!ex) {
        printf("%s: %s\n", tr("no ext"), name);
        return 0;
    }
    sk_X509_EXTENSION_push(sk, ex);
    return 1;
}

call to

add_ext_by_name(exts, "certificatePolicies", "1.2.643.100.113.1, 1.2.643.100.113.2");

will be successful. Funtion with NID argument you can write by yourself :)