[Cryptography-dev] How to add the extension 'subject directory attributes' to a certificate using Python?

Paul Kehrer paul.l.kehrer at gmail.com
Fri Dec 9 16:28:10 EST 2016 

The error you're seeing is because OpenSSL doesn't have a shortname mapping
to an extension type for that (unusual) extension. I believe you can create
it using the OpenSSL conf ASN.1 syntax but help with that is outside the
scope of this mailing list, sorry!

On December 8, 2016 at 8:13:54 AM, Aow Tea (aowtea at gmail.com) wrote:

Dear everyone,
       I have a trouble in adding the extension 'subject directory
attributes' to a certificate using Python. I have tried to use
'subjectDirAttrs' and 'subjectDirectoryAttributes', but neither of them can
work. The error is 'OpenSSL.crypto.Error: [('X509 V3 routines',
'DO_EXT_NCONF', 'unknown extension name'), ('X509 V3 routines',
'X509V3_EXT_nconf', 'error in extension')]'.

        I have installed PyOpenSSL v16.1.0 and imported crypto from OpenSSL
as the code below shows. My programming environment is Ubuntu 16.04.1 x64
and Python 2.7.12. Can anyone give a practical solution?

        In addition, when I want to add another extension 'certificate
policies', the error is 'OpenSSL.crypto.Error: [('X509 V3 routines',
'DO_EXT_NCONF', 'no config database'), ('X509 V3 routines',
'X509V3_EXT_nconf', 'error in extension')]'.  Can anyone tell me how to add
this extension to a certificate?


        Thanks in advance!

        # My code

#! /usr/bin/env python

from OpenSSL import crypto

newSubject=crypto.X509Name(crypto.X509().get_subject())

newSubject.C='US'
newSubject.ST='California'
newSubject.O='University of California, Davis'
newSubject.OU='Computer Science, UCDavis'
newSubject.CN='www.cs.ucdavis.edu'

newCert=crypto.X509()
newCert.set_version(2)
newCert.set_serial_number(2016120711)
newCert.set_notBefore('20161207125959Z')
newCert.set_notAfter('20171207125959Z')
newCert.set_issuer(newSubject)
newCert.set_subject(newSubject)

pkObject=crypto.PKey()
pkObject.generate_key(crypto.TYPE_RSA,2048)

newCert.set_pubkey(pkObject)

newExt=crypto.X509Extension('basicConstraints', True, 'CA:true')
newCert.add_extensions([newExt])

newExt=crypto.X509Extension('subjectDirAttrs', True, 'something')
newCert.add_extensions([newExt])


newCert.sign(pkObject,'sha256')
with open('sample.pem','w') as f:
    f.write(crypto.dump_certificate(crypto.FILETYPE_PEM,newCert))

_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20161209/af4ab196/attachment-0001.html>

More information about the Cryptography-dev mailing list