crlDistributionPoints dirName

Question

i am a new user of pyOpenSSL,i want make a certicate with following code

from OpenSSL import crypto as c

cert = c.X509()
cert.add_extensions([
    c.X509Extension('crlDistributionPoints', False, 'dirName:/C=US/O=TEST'),
])

this code can't work, can anyone help me?pyOpenSSL seems not support dirName

cert.add_extensions([
    c.X509Extension('crlDistributionPoints', False, 'URI:http://somesite') can work
])

Answer 1

I had exactly the same problem, and, however I also couldn't find a real solution, I managed to have a sort of workaround to get it done via Python. In this page the formatting is explained http://openssl.org/docs/apps/x509v3_config.html#CRL-distribution-points and also a option to use raw DER bytes. (Section: ARBITRARY EXTENSIONS)

First 'collect' the DER bytes from a certificate which already have the correct URI and dirName. Alternative make a certificate with openssl with correct crlDistributionPoint, tmpcert in this example is this certificate. Also figure out which extension index is used. get_short_name will give the 'key' of the extension, so search for crlDistributionPoint. Collect it using:

from binascii import hexlify
print tmpcert.get_extension(5).get_short_name()
print hexlify(tmpcert.get_extension(5).get_data())

And afterwards format this output and use it in the initialiser of X509Extension()

crypto.X509Extension('crlDistributionPoints', False,  
"DER:30:6a:xx:xx:xx:..........:xx:xx")

As one understands, this is quitte a 'hardcoded' solution, there is no straightforward way of altering the content of this field this way.

Answer 2

Here is a way in which you can generated the DER ... it does not include the code for dirName, but I hope it gives an idea of how you can construct the DER

from pyasn1.codec.der import encoder as der_encoder
from pyasn1.type import tag
from pyasn1_modules import rfc2459

class GeneralNames(rfc2459.GeneralNames):
    """
    rfc2459 has wrong tagset.
    """
    tagSet = tag.TagSet(
        (),
        tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0),
        )

class DistributionPointName(rfc2459.DistributionPointName):
    """
    rfc2459 has wrong tagset.
    """
    tagSet = tag.TagSet(
        (),
        tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0),
        )

cdps = [('uri', 'http://something'), ('dns', 'some.domain.com')]

cdp = rfc2459.CRLDistPointsSyntax()
values = []
position = 0
for cdp_type, cdp_value in cdps:
    cdp_entry = rfc2459.DistributionPoint()

    general_name = rfc2459.GeneralName()

    if cdp_type == 'uri':
        general_name.setComponentByName(
            'uniformResourceIdentifier',
            cdp_value,
            )
    elif cdp_type == 'dns':
        general_name.setComponentByName(
            'dNSName',
            cdp_value,
            )

    general_names = GeneralNames()
    general_names.setComponentByPosition(0, general_name)

    name = DistributionPointName()
    name.setComponentByName('fullName', general_names)
    cdp_entry.setComponentByName('distributionPoint', name)

    cdp.setComponentByPosition(position, cdp_entry)
    position += 1

cdp_der = der_encoder.encode(cdp)

extensions.append(
    crypto.X509Extension(
        b'crlDistributionPoints',
        False,
        'DER:' + cdp_der.encode('hex'),
        ),
    )