Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Creating device CSR, how to get the certificate definition i.e atcacert_def_t #12

Open
umanayana opened this issue Aug 31, 2018 · 1 comment

Comments

@umanayana
Copy link

I am trying to create a the CSR for the device so I can create the device certificate. In order to create the CSR I need to create the CSR template (i. e atcacert_def_t). To create the CSR template I am looking at the python script cert2certdef.py which takes a CSR using --device-csr.

The CSR I feed the script is a CSR that I generate using openSSL with specific certificate element such as origination name, etc. The CSR is not correct the correct one for the device because the key pair used to create it is wrong. But the common elements would be correct. (I assume so)

I then plan to use the CSR template definition (atcacert_def_t) with atcacert_create_csr() method to create the device CSR.

Is this the correct way to achieve this?

@CarlMitchellKT
Copy link

I just had to go through this. The way I did it was to create a CSR with OpenSSL, take the DER output as hex and put it into the ASN.1 decoder at http://lapo.it/asn1js/, and then set all the std_cert_elements offsets based on their offsets in the DER. Then used the DER as the cert template.

Things to note: The public key offset is to the start of the public key data, not the start of the ASN.1 data. EG for me the ASN.1 bit string has offset 95, length 2+66. Starting 03 42 00 04 0E... The 03 42 are the "2+" encoding the type and length, the 00 04 are padding (really they're to ensure the value is positive since ASN.1 can't encode unsigned integers) and the 0E is the actual start of the public key. So the cert element gets offset 99 and count 64. The signature, on the other hand, just gets its cert element offset set to the same offset as the start of the ASN.1 bit string (NOT the sequence within that), and count 64 despite the ASN.1 bit string including padding and sizes. EG the signature I have is

03 49 00 30 46 02 21 00 8C 74 48 0D 37 FD C6 5D 37 7D 8D 6A 96 BC BD 56 29 DC E2 54 3B 17 70 45 61 E6 1D 50 7B 97 5B 4F 02 21 00 F9 F4 EE 60 C8 22 1E E2 31 50 79 2A 05 66 32 54 7C 18 42 BD D0 F1 23 1E A0 BE 50 3C 74 51 A0 34

and the 03 byte is at offset 175. So the cert element is
{ .offset = 175, .count = 64
despite the first 7 bytes (and the later 02 21) being ASN.1 metadata.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants