000021770 - How to override extension handler in RSA BSAFE BCERT

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021770
Applies ToRSA BSAFE BCERT
Certificate has basicConstraints extension marked as non-critical
Certificate has authorityKeyIdentifier extension with empty SEQUENCE (0x30 0x00) as it value
IssueHow to override extension handler in RSA BSAFE BCERT
C_SetCertBER returns error 1834 (E_CERT_EXTENSIONS)
ResolutionAdd code to demo.c:

static void DoSetCert PROTO_LIST ((SESSION_CTX *));

Entry MAIN_MENU[] = { 
  {"F - Fulfill PKCS Certificate Request", DoFulfillCertRequest}, 
  {"G - Generate PKCS Certificate Request", DoGenerateCertRequest},
  {"R - Revoke Certificate", DoRevokeCert},
  {"S - Set Certificate", DoSetCert},  /* ADDED */
  {0, 0}
};

/* Override the criticality of the basicConstraints extension
     by getting its handler and changing the criticality.
 */
int OverrideBasicConstraintsCriticality (applContext)
APPL_CTX applContext;
{
  int status = 0;

  do { 
    EXTENSION_TYPE_INFO extTypeInfo;          

    status = C_GetExtensionTypeInfo (applContext, ET_BASIC_CONSTRAINTS,
                                     ET_BASIC_CONSTRAINTS_LEN,
                                     &extTypeInfo);

    if (status != 0)
      break;

    extTypeInfo.overrideCriticality = 1;  
    extTypeInfo.criticality = NON_CRITICAL;  

    status = C_RegisterExtensionType (applContext, &extTypeInfo);

  } while (0);

  return (status);
}  /* end OverrideBasicConstraintsCriticality */

/* Override the authorityKeyIdentifier extension handler to
     allow an empty SEQUENCE.
 */
int OverrideAuthorityKeyIdentifierExtension (applContext)
APPL_CTX applContext;
{
  int status = 0;
  APPL_CTX newApplContext = (APPL_CTX)NULL_PTR;
  EXTENSION_TYPE_INFO unknownExtTypeInfo;
  EXTENSION_TYPE_INFO extTypeInfo;

  do { 
    /* Provide a new application context here, to get the extension
         handler for the default unknown extension, where ITEM is used
         for the extension value data structure.
     */
    status = C_InitializeApplContext (&newApplContext);
    if (status != 0)
      break;

    status = C_GetExtensionTypeInfo (newApplContext, ET_UNKNOWN_TYPE,
                                     ET_UNKNOWN_TYPE_LEN,
                                     &unknownExtTypeInfo);
    if (status != 0)
      break;
    printf("- C_GetExtensionTypeInfo for ET_UNKNOWN_TYPE successful.\n");

    status = C_GetExtensionTypeInfo (applContext, ET_AUTHORITY_KEY_ID,
                                     ET_AUTHORITY_KEY_ID_LEN,
                                     &extTypeInfo);
    if (status != 0)
      break;
    printf("- C_GetExtensionTypeInfo for ET_AUTHORITY_KEY_ID successful.\n");

    extTypeInfo.overrideCriticality = 1;  
    extTypeInfo.criticality = NON_CRITICAL;  
    extTypeInfo.handler = unknownExtTypeInfo.handler;  

    status = C_RegisterExtensionType (applContext, &extTypeInfo);
    printf("- C_RegisterExtensionType for ET_AUTHORITY_KEY_ID successful.\n");

  } while (0);

  C_FinalizeApplContext (&newApplContext);

  return (status);
}  /* end OverrideAuthorityKeyIdentifierExtension */
 
int SetCert (sessionContext)
SESSION_CTX *sessionContext;

  CERT_OBJ certObject = (CERT_OBJ)NULL_PTR;  
  ITEM certBER;
  int status = 0;
 
  certBER.data = NULL_PTR;

  do {     
    /* Read in the certificate */
    if ((status = ReadFromFile
         (&certBER, "certificate to set", &sessionContext->ioContext))
         != 0)
      break;

    /* Override the criticality of the basicConstraints extension */
    if ((status = OverrideBasicConstraintsCriticality
        (sessionContext->applContext)) != 0)
      break;
    printf("OverrideBasicConstraintsCriticality successful.\n");

    /* Override the authorityKeyIdentifier extension handler to
         allow an empty SEQUENCE */
    if ((status = OverrideAuthorityKeyIdentifierExtension
        (sessionContext->applContext)) != 0)
      break;
    printf("OverrideAuthorityKeyIdentifierExtension successful.\n");

    /* Provide the application context here, so that extensions
       included in certBER may be received properly. */
    if ((status = C_CreateCertObject
        (&certObject, sessionContext->applContext)) != 0)
      break;

    if ((status = C_SetCertBER (certObject, certBER.data, certBER.len)) != 0)
      break;

  } while (0);
  C_DestroyCertObject (&certObject);
  T_free ((POINTER)certBER.data);
  return (status);
}

static void DoSetCert (sessionContext)
SESSION_CTX *sessionContext;
{
  int status = 0;
 
  if ((status = SetCert (sessionContext)) != 0)
    PrintMessage
      ("Failed to set the certificate!", 0, status,
       &sessionContext->ioContext);
  else
    PrintMessage
      ("The certificate has been set!",
       0, IO_CTX_PROMPT, &sessionContext->ioContext);
}

Legacy Article IDa24950

Attachments

    Outcomes