[Cryptography-dev] Adding support for Admissions extension
Oleg Höfling
oleg.hoefling at gmail.com
Wed Oct 30 09:06:11 EDT 2024
I hope I won't be fired for publishing the certificates out in the wild :-)
so I'll try to black out the unrelated parts. BIO print:
```
openssl x509 -in certfile -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: XXX (0xXXX)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=DE, O=Orga, OU=OrgaUnit, CN=Authority
Validity
Not Before: Oct 16 10:31:30 2024 GMT
Not After : Jul 22 10:22:29 2026 GMT
Subject: C=DE, serialNumber=99.99999999999 + GN=spam + SN=eggs +
CN=bacon
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
XXX
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection
X509v3 Authority Key Identifier:
XXX
Professional Information or basis for Admission:
admissionAuthority:
DirName:C = DE, O = Authority
Entry 1:
Profession Info Entry 1:
registrationNumber: 9-99.9.9999999999.99.999
Info Entries:
Apotheker/-in
Profession OIDs:
undefined (1.2.276.0.76.4.32)
Authority Information Access:
OCSP - URI:http://example.com
X509v3 Certificate Policies:
Policy: 1.2.276.0.76.4.145
CPS:
https://www.abda.de/themen/positionen-und-initiativen/telematik/hba/
Policy: 1.2.276.0.76.4.75
X509v3 CRL Distribution Points:
Full Name:
URI:ldap://
example.com/CN=XXX,O=XXX,C=DE?certificaterevocationlist
X509v3 Subject Key Identifier:
XXX
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Alternative Name:
email:spam at eggs.com
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
XXX
```
The OIDs in the 1.2.276.0.76.4 range are available in public in the spec
https://gemspec.gematik.de/downloads/gemSpec/gemSpec_OID/gemSpec_OID_V3.17.0.pdf
ASN.1 dump:
```
0:d=0 hl=4 l=1614 cons: SEQUENCE
4:d=1 hl=4 l=1334 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 3 prim: INTEGER :XXX
18:d=2 hl=2 l= 13 cons: SEQUENCE
20:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
31:d=3 hl=2 l= 0 prim: NULL
33:d=2 hl=3 l= 140 cons: SEQUENCE
36:d=3 hl=2 l= 11 cons: SET
38:d=4 hl=2 l= 9 cons: SEQUENCE
40:d=5 hl=2 l= 3 prim: OBJECT :countryName
45:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE
49:d=3 hl=2 l= 31 cons: SET
51:d=4 hl=2 l= 29 cons: SEQUENCE
53:d=5 hl=2 l= 3 prim: OBJECT :organizationName
58:d=5 hl=2 l= 22 prim: UTF8STRING :Orga
82:d=3 hl=2 l= 56 cons: SET
84:d=4 hl=2 l= 54 cons: SEQUENCE
86:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
91:d=5 hl=2 l= 47 prim: UTF8STRING :OrgaUnit
140:d=3 hl=2 l= 34 cons: SET
142:d=4 hl=2 l= 32 cons: SEQUENCE
144:d=5 hl=2 l= 3 prim: OBJECT :commonName
149:d=5 hl=2 l= 25 prim: UTF8STRING :Authority
176:d=2 hl=2 l= 30 cons: SEQUENCE
178:d=3 hl=2 l= 13 prim: UTCTIME :241016103130Z
193:d=3 hl=2 l= 13 prim: UTCTIME :260722102229Z
208:d=2 hl=3 l= 211 cons: SEQUENCE
211:d=3 hl=2 l= 11 cons: SET
213:d=4 hl=2 l= 9 cons: SEQUENCE
215:d=5 hl=2 l= 3 prim: OBJECT :countryName
220:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE
224:d=3 hl=3 l= 195 cons: SET
227:d=4 hl=2 l= 30 cons: SEQUENCE
229:d=5 hl=2 l= 3 prim: OBJECT :serialNumber
234:d=5 hl=2 l= 23 prim: PRINTABLESTRING :99.99999999999
259:d=4 hl=2 l= 30 cons: SEQUENCE
261:d=5 hl=2 l= 3 prim: OBJECT :givenName
266:d=5 hl=2 l= 23 prim: UTF8STRING :spam
291:d=4 hl=2 l= 48 cons: SEQUENCE
293:d=5 hl=2 l= 3 prim: OBJECT :surname
298:d=5 hl=2 l= 41 prim: UTF8STRING :eggs
341:d=4 hl=2 l= 79 cons: SEQUENCE
343:d=5 hl=2 l= 3 prim: OBJECT :commonName
348:d=5 hl=2 l= 72 prim: UTF8STRING :bacon
422:d=2 hl=4 l= 290 cons: SEQUENCE
426:d=3 hl=2 l= 13 cons: SEQUENCE
428:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
439:d=4 hl=2 l= 0 prim: NULL
441:d=3 hl=4 l= 271 prim: BIT STRING
716:d=2 hl=4 l= 622 cons: cont [ 3 ]
720:d=3 hl=4 l= 618 cons: SEQUENCE
724:d=4 hl=2 l= 29 cons: SEQUENCE
726:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key
Usage
731:d=5 hl=2 l= 22 prim: OCTET STRING [HEX
DUMP]:301406082B0601050507030206082B06010505070304
755:d=4 hl=2 l= 31 cons: SEQUENCE
757:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key
Identifier
762:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:XXX
788:d=4 hl=2 l= 126 cons: SEQUENCE
790:d=5 hl=2 l= 5 prim: OBJECT :Professional
Information or basis for Admission
797:d=5 hl=2 l= 117 prim: OCTET STRING [HEX
DUMP]:3073A4333031310B300906035504061302444531223020060355040A0C1941706F7468656B65726B616D6D6572204E6F7264726865696E303C303A30383036300F0C0D41706F7468656B65722F2D696E300906072A8214004C04201318332D31302E332E323135343131313038332E31302E323234
916:d=4 hl=2 l= 59 cons: SEQUENCE
918:d=5 hl=2 l= 8 prim: OBJECT :Authority Information
Access
928:d=5 hl=2 l= 47 prim: OCTET STRING [HEX DUMP]:XXX
977:d=4 hl=2 l= 116 cons: SEQUENCE
979:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate
Policies
984:d=5 hl=2 l= 109 prim: OCTET STRING [HEX
DUMP]:306B305E06082A8214004C0481113052305006082B06010505070201164468747470733A2F2F7777772E616264612E64652F7468656D656E2F706F736974696F6E656E2D756E642D696E69746961746976656E2F74656C656D6174696B2F6862612F300906072A8214004C044B
1095:d=4 hl=3 l= 137 cons: SEQUENCE
1098:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL
Distribution Points
1103:d=5 hl=3 l= 129 prim: OCTET STRING [HEX DUMP]:XXX
1235:d=4 hl=2 l= 29 cons: SEQUENCE
1237:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key
Identifier
1242:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:XXX
1266:d=4 hl=2 l= 14 cons: SEQUENCE
1268:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1273:d=5 hl=2 l= 1 prim: BOOLEAN :255
1276:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0
1282:d=4 hl=2 l= 44 cons: SEQUENCE
1284:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject
Alternative Name
1289:d=5 hl=2 l= 37 prim: OCTET STRING [HEX DUMP]:XXX
1328:d=4 hl=2 l= 12 cons: SEQUENCE
1330:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic
Constraints
1335:d=5 hl=2 l= 1 prim: BOOLEAN :255
1338:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
1342:d=1 hl=2 l= 13 cons: SEQUENCE
1344:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1355:d=2 hl=2 l= 0 prim: NULL
1357:d=1 hl=4 l= 257 prim: BIT STRING
```
Am Mi., 30. Okt. 2024 um 04:06 Uhr schrieb Robert Moskowitz <
rgm at htt-consult.com>:
> Can you do a print out of such a cert with say:
>
> openssl x509 -in whatever.pem -text -noout
>
> ?
>
> And perhaps an ASN.1 dump:
>
>
> openssl asn1parse -i -in whatever.pem
>
> I am curious as to what this extension looks like. It is not in rfc5280
> and wonder if it was ever published in an rfc (which is the common
> practice when pushing a new extension for common use).
>
> BTW, I worked in the IETF PKIX workgroup back in the day...
>
> On 10/29/24 22:28, Paul Kehrer via Cryptography-dev wrote:
> > Is there a published spec that defines the ASN.1 syntax for these
> > extensions (maybe from BSI)? We generally like to have a specification
> > that we can use as a source of truth. For x509 I don’t have any
> > objection to adding this assuming a spec exists.
> >
> > -Paul
> >
> >> On Oct 29, 2024, at 6:54 PM, Oleg Höfling via Cryptography-dev
> >> <cryptography-dev at python.org> wrote:
> >>
> >>
> >> Dear devs,
> >>
> >> there is an X509 extension named `Admissions`, supported e.g. by
> >> OpenSSL (https://docs.openssl.org/master/man3/ADMISSIONS/) and
> >> BouncyCastle
> >> (
> https://people.eecs.berkeley.edu/~jonah/bc/index.html?org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.html).
>
> >> Would you be interested in `cryptography` supporting it as well? This
> >> is an extension that is used in german public healthcare and legal
> >> sectors, and I am working for one of them :-) I really enjoy working
> >> with `cryptography` for reading out and persisting X509 certificates,
> >> but dealing with the `Admissions` extension requires me adding extra
> >> dependencies and writing extra code using other libraries I do not
> >> enjoy this much.
> >>
> >> If you agree that it could be a viable addition to the project, I
> >> would gladly contribute the necessary bits myself. I made a
> >> proof-of-concept implementation for the Admissions extension in my
> >> fork of `cryptography` to have something to discuss:
> >>
> >>
> https://github.com/pyca/cryptography/compare/main...hoefling:cryptography:admission-extension?expand=1
> >>
> >> Example script that creates a certificate with an admission extension
> >> that has some dummy values:
> >> https://gist.github.com/hoefling/fa290eb33b24a2e5405cf9cdeeda03bc
> >>
> >> Of course, this is far from the state where it can be reviewed,
> >> should be split into smaller patches, is missing tests and docs etc etc.
> >>
> >> If you reject the idea, I would try and put the code in a separate
> >> library that depends on `cryptography` and connect them together
> >> somehow. I would be grateful for any advices on that matter - maybe
> >> you already had a case with a third party extension for
> >> `cryptography` being built.
> >>
> >> Last but not least - I really enjoyed hacking the working prototype
> >> together and fiddling with the Rust backend, kudos for having such a
> >> clear and concise API design!
> >>
> >> Kind regards,
> >>
> >> Oleg
> >> _______________________________________________
> >> Cryptography-dev mailing list
> >> Cryptography-dev at python.org
> >> https://mail.python.org/mailman/listinfo/cryptography-dev
> >
> > _______________________________________________
> > Cryptography-dev mailing list
> > Cryptography-dev at python.org
> > https://mail.python.org/mailman/listinfo/cryptography-dev
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20241030/afc382e6/attachment-0001.html>
More information about the Cryptography-dev
mailing list