000022567 - How to set AKI and SKI extensions in certificates created through RSA Certificate Manager API

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022567
Applies ToRSA Certificate Manager 6.6 API
IssueHow to set AKI and SKI extensions in certificates created through RSA Certificate Manager API
There is no example available in RSA Certificate Manager 6.6 API sample code or documentation for guidance on how to set the following certificate extensions:

AuthorityKeyIdentifier (AKI)
Subject Key Identifier (SKI)
ResolutionUpdate the sample code CASignCertificateWithExtensions (in directory samples\pkiSamples\SoftwarePKI\CASignCertificateWithExtensions) to include two additional functions (BuildAKIExtension() and BuildSKIExtension()) which can be called from within the function BuildExtensions() to set the AKI and SKI extensions (in addition to other certificate extensions). Also, add or update a few additional things as noted below:

// define OID for SKI extension
#define EXTENSION_SUB_KEY_ID_OID "2.5.29.14"


// Add a new function to construct AKI extension
XudaRC BuildAKIExtension(XudaSession session, XANY reqObject)
{
     XANY xanyAKIExt = NULL;
     XudaRC rc = XrcOK;
     XANY xanyHashVal = NULL;
     XANY caObject = NULL;
     XANY spki = NULL;
     XANY pubKeyBits = NULL;
     int isCritical = 0;
     XudaSession digestSession;

     if(juriID != NULL)
     {
         rc = XudaSetResourceValue(session, XresJURISDICTION, XudaXPTUTF8Temp(juriID), NULL);
         if (rc != XrcOK)
         {
            printf("XudaSetResourceValue for XresJURISDICTION failed, errno %d\n", rc);
            exit(0);
         }
         /* get the xuda_ca object associated with jurisidction */
         rc = XudaJurisdictionGetCA(session, &caObject);
         if (rc != XrcOK)
         {
            printf("XudaJurisdictionGetCA() failed, errno %d\n", rc);
            exit(0);
         }
     }
     else
     {
         printf("juriID missing - it must be set in the defs file\n");
         exit(0);
     }
     rc = XudaCertificateGetComponents(caObject, NULL, NULL, NULL, NULL, NULL, &spki, NULL);
     if (rc == XrcOK)
     {
         rc = XudaGetSPKIKeyBits(spki, &pubKeyBits);
     }
     if (rc == XrcOK)
     {
          rc = XudaInit(&digestSession, XresCRYPTODIGEST, XudaCryptoSHA1Digest, NULL);
     }
     if (rc == XrcOK)
     {
          rc = XudaDigest(digestSession, pubKeyBits, &xanyHashVal);
     }
     XudaEndSession(digestSession);
     if (rc != XrcOK)
     {
          printf("Unable to generate a hash for AKI\n");
          exit(0);
     }
     /* now create the AKI extension */
     rc = XudaCreateAuthorityKeyIdentifierExtension(isCritical, xanyHashVal, NULL, NULL, &xanyAKIExt);
     if (rc != XrcOK)  return rc;
     rc = XudaSetField(reqObject, "extensions", xanyAKIExt);
     // memory cleanup
     if (xanyHashVal != NULL) XudaFree(xanyHashVal);
     if (xanyAKIExt != NULL) XudaFree(xanyAKIExt);
     if (caObject != NULL) XudaFree(caObject);
     if (spki != NULL) XudaFree(spki);
     if (pubKeyBits != NULL) XudaFree(pubKeyBits);
     return rc;
}         // end of BuildAKIExtension

// Add a new function to construct SKI extension
XudaRC BuildSKIExtension(XANY reqObject)
{
     XANY xanySKIExt = NULL;
     XudaRC rc = XrcOK;
     XANY xanyHashVal = NULL;
     XANY spkiList = NULL;
     XANY spkiFirst = NULL;
     char *spkiPEM = NULL;
     XANY spki = NULL;
     XANY pubKeyBits = NULL;
     int isCritical = 0;
     XudaSession digestSession;

     if(reqObject == NULL)
     {
         printf("request object not set - unable to proceed with SKI extension\n");
         exit(0);
     }
     // retrieve public key from the request object
     rc = XudaGetField(reqObject, "spk", &spkiList);
     if (rc != XrcOK)
     {
         printf("Could not retrieve 'spk' attribute from request object, errno %d\n", rc);
         exit(0);
     }
     /* get the first item from the list (since 'spk' is multivalued) */
     rc = XudaXPTListFirst(spkiList, &spkiFirst);
     if (rc != XrcOK)
     {
         printf("Unable to extract first item from multi-valued 'spk' attribute, errno %d\n", rc);
         exit(0);
     }
     rc = XudaXPTUTF8Get(spkiFirst, &spkiPEM);
     if (rc != XrcOK)
     {
         printf("Unable to construct UTF8 string from 'spk', errno %d\n", rc);
         exit(0);
     }
     rc = XudaXPTOctetsFromPem(&spki, spkiPEM);
     if (rc != XrcOK)
     {
         printf("Unable to convert PEM spk to Octects, errno %d\n", rc);
         exit(0);
     }
     rc = XudaGetSPKIKeyBits(spki, &pubKeyBits);
     if (rc == XrcOK)
     {
         rc = XudaInit(&digestSession, XresCRYPTODIGEST, XudaCryptoSHA1Digest, NULL);
     }
     if (rc == XrcOK)
     {
         rc = XudaDigest(digestSession, pubKeyBits, &xanyHashVal);
     }
     XudaEndSession(digestSession);
     if (rc != XrcOK)
     {
         printf("Unable to generate a hash for SKI\n");
         exit(0);
     }
     // now create the SKI extension
     rc = XudaCreateOctetsExtension(EXTENSION_SUB_KEY_ID_OID, isCritical, xanyHashVal, &xanySKIExt);
     if (rc != XrcOK)  return rc;
     rc = XudaSetField(reqObject, "extensions", xanySKIExt);
     // memory cleanup
     if (xanyHashVal != NULL) XudaFree(xanyHashVal);
     if (xanySKIExt != NULL) XudaFree(xanySKIExt);
     if (spkiList != NULL) XudaFree(spkiList);
     if (spkiFirst != NULL) XudaFree(spkiFirst);
     if (spki != NULL) XudaFree(spki);
     if (pubKeyBits != NULL) XudaFree(pubKeyBits);
     if (spkiPEM != NULL) XudaMEMFREE(spkiPEM);
     return rc;
}         // end of BuildSKIExtension


// Update the existing function BuildExtensions() definition to also pass
// the 'session' variable (to be used by BuildAKIExtension() to generate AKI extension)
XudaRC BuildExtensions(XudaSession session, XANY reqObject)
{
...
     // add the following calls to set AKI/SKI extensions
     rc = BuildAKIExtensionGood(session, reqObject);
     if (rc!=XrcOK) return rc;
     rc = BuildSKIExtensionGood(reqObject);
     if (rc!=XrcOK) return rc;
...

}

// Remember to update BuildRequest() so BuildExtensions() is called appropriately
XANY BuildRequest(XudaSession session)
{
...
     rc = BuildExtensions(session, spReqObj);
...
}
Legacy Article IDa29251

Attachments

    Outcomes