000026127 - Create a BER-encoded key usage extension with the Cert-C API.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026127
Applies ToRSA BSAFE Cert-C
Use the exten.c sample program that ships with Cert-C, and trace through the execution of that program to see how an extensions object with a key usage extension is created and set.
IssueCreate a BER-encoded key usage extension with the Cert-C API.
To set the digitalSignature, keyEncipherment, dataEncipherment, and keyAgreement bits in the key usage BIT STRING.
Called C_SetExtensionBER with 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x00, 0xb8 to set a key usage extension in an extensions object.  When a subsequent call to C_GetExtensionValue is made to retreive the key usage extension value, we receive an unexpected value of 0x17 instead of 0xb8.
CauseYou can run the exten.exe sample program to produce a binary containing a key usage extension set with the following value:

 03 02 03 B8

B8 is, of course, the following binary value:

 1011 1000

Therefore, the following bits are set (0), (2), (3), and (4) - or digitalSignature, keyEncipherment, dataEncipherment, and keyAgreement. To address the first part, B8 is correct. Further, to properly BER-encode the extension, all bits to the right of the last set bit must be marked as unused. That is why Cert-C marks 3 unused bits. Section 8.6 and 11.2 of X.690 discusses BER encoding a bit string value.

Because of the fact that the final used bit on the right is set and all others to the right of that are supposed to be unused, when you use the extension value below (00 B8, 0 unused bits in B8), this is probably what happens:

 1011 1000 => 0001 0111 => 0x00 0x17 (0 unused bits in 0x17)

In short, the easiest way to properly set the key usage extension is to do it the way the demo code does, basically, bitwise-ORing the desired CF_* flags into a UNIT4 and doing a C_CreateExtension and C_AddExtensionValue on the EXTENSIONS_OBJ. (See extnutil.c and extnhelp.c, or trace the execution of exten.c).

You can also run the exten.exe sample to display the binary you generated.
ResolutionDo not use C_SetExtensionBER to set a key usage value extension (or any of the extensions for which extension handlers exist in the toolkit). It is much easier to do a C_CreateExtension and then a C_AddExtensionValue with the CF_* flags to create and set an individual extension in an EXTENSIONS_OBJ.
Legacy Article IDa535