<div dir="ltr">I hope I won't be fired for publishing the certificates out in the wild :-) so I'll try to black out the unrelated parts. BIO print:<br>```<br>openssl x509 -in certfile -noout -text<br>Certificate:<br> Data:<br> Version: 3 (0x2)<br> Serial Number: XXX (0xXXX)<br> Signature Algorithm: sha256WithRSAEncryption<br> Issuer: C=DE, O=Orga, OU=OrgaUnit, CN=Authority<br> Validity<br> Not Before: Oct 16 10:31:30 2024 GMT<br> Not After : Jul 22 10:22:29 2026 GMT<br> Subject: C=DE, serialNumber=99.99999999999 + GN=spam + SN=eggs + CN=bacon<br> Subject Public Key Info:<br> Public Key Algorithm: rsaEncryption<br> Public-Key: (2048 bit)<br> Modulus:<div> XXX<br> Exponent: 65537 (0x10001)<br> X509v3 extensions:<br> X509v3 Extended Key Usage: <br> TLS Web Client Authentication, E-mail Protection<br> X509v3 Authority Key Identifier: <br> XXX<br> Professional Information or basis for Admission: <br> admissionAuthority:<br> DirName:C = DE, O = Authority<br> Entry 1:<br> Profession Info Entry 1:<br> registrationNumber: 9-99.9.9999999999.99.999<br> Info Entries:<br> Apotheker/-in<br> Profession OIDs:<br> undefined (1.2.276.0.76.4.32)<br><br> Authority Information Access: <br> OCSP - URI:<a href="http://example.com">http://example.com</a><br> X509v3 Certificate Policies: <br> Policy: 1.2.276.0.76.4.145<br> CPS: <a href="https://www.abda.de/themen/positionen-und-initiativen/telematik/hba/">https://www.abda.de/themen/positionen-und-initiativen/telematik/hba/</a><br> Policy: 1.2.276.0.76.4.75<br> X509v3 CRL Distribution Points: <br> Full Name:<br> URI:ldap://<a href="http://example.com/CN=XXX,O=XXX,C=DE?certificaterevocationlist">example.com/CN=XXX,O=XXX,C=DE?certificaterevocationlist</a><br> X509v3 Subject Key Identifier: <br> XXX<br> X509v3 Key Usage: critical<br> Digital Signature, Key Encipherment<br> X509v3 Subject Alternative Name: <br> <a href="mailto:email%3Aspam@eggs.com">email:spam@eggs.com</a><br> X509v3 Basic Constraints: critical<br> CA:FALSE<br> Signature Algorithm: sha256WithRSAEncryption<br> Signature Value:<div> XXX<br>```</div><div>The OIDs in the 1.2.276.0.76.4 range are available in public in the spec <a href="https://gemspec.gematik.de/downloads/gemSpec/gemSpec_OID/gemSpec_OID_V3.17.0.pdf">https://gemspec.gematik.de/downloads/gemSpec/gemSpec_OID/gemSpec_OID_V3.17.0.pdf</a></div><div><br></div><div>ASN.1 dump:<br>```<br> 0:d=0 hl=4 l=1614 cons: SEQUENCE <br> 4:d=1 hl=4 l=1334 cons: SEQUENCE <br> 8:d=2 hl=2 l= 3 cons: cont [ 0 ] <br> 10:d=3 hl=2 l= 1 prim: INTEGER :02<br> 13:d=2 hl=2 l= 3 prim: INTEGER :XXX<br> 18:d=2 hl=2 l= 13 cons: SEQUENCE <br> 20:d=3 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption<br> 31:d=3 hl=2 l= 0 prim: NULL <br> 33:d=2 hl=3 l= 140 cons: SEQUENCE <br> 36:d=3 hl=2 l= 11 cons: SET <br> 38:d=4 hl=2 l= 9 cons: SEQUENCE <br> 40:d=5 hl=2 l= 3 prim: OBJECT :countryName<br> 45:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE<br> 49:d=3 hl=2 l= 31 cons: SET <br> 51:d=4 hl=2 l= 29 cons: SEQUENCE <br> 53:d=5 hl=2 l= 3 prim: OBJECT :organizationName<br> 58:d=5 hl=2 l= 22 prim: UTF8STRING :Orga<br> 82:d=3 hl=2 l= 56 cons: SET <br> 84:d=4 hl=2 l= 54 cons: SEQUENCE <br> 86:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName<br> 91:d=5 hl=2 l= 47 prim: UTF8STRING :OrgaUnit<br> 140:d=3 hl=2 l= 34 cons: SET <br> 142:d=4 hl=2 l= 32 cons: SEQUENCE <br> 144:d=5 hl=2 l= 3 prim: OBJECT :commonName<br> 149:d=5 hl=2 l= 25 prim: UTF8STRING :Authority<br> 176:d=2 hl=2 l= 30 cons: SEQUENCE <br> 178:d=3 hl=2 l= 13 prim: UTCTIME :241016103130Z<br> 193:d=3 hl=2 l= 13 prim: UTCTIME :260722102229Z<br> 208:d=2 hl=3 l= 211 cons: SEQUENCE <br> 211:d=3 hl=2 l= 11 cons: SET <br> 213:d=4 hl=2 l= 9 cons: SEQUENCE <br> 215:d=5 hl=2 l= 3 prim: OBJECT :countryName<br> 220:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE<br> 224:d=3 hl=3 l= 195 cons: SET <br> 227:d=4 hl=2 l= 30 cons: SEQUENCE <br> 229:d=5 hl=2 l= 3 prim: OBJECT :serialNumber<br> 234:d=5 hl=2 l= 23 prim: PRINTABLESTRING :99.99999999999<br> 259:d=4 hl=2 l= 30 cons: SEQUENCE <br> 261:d=5 hl=2 l= 3 prim: OBJECT :givenName<br> 266:d=5 hl=2 l= 23 prim: UTF8STRING :spam<br> 291:d=4 hl=2 l= 48 cons: SEQUENCE <br> 293:d=5 hl=2 l= 3 prim: OBJECT :surname<br> 298:d=5 hl=2 l= 41 prim: UTF8STRING :eggs<br> 341:d=4 hl=2 l= 79 cons: SEQUENCE <br> 343:d=5 hl=2 l= 3 prim: OBJECT :commonName<br> 348:d=5 hl=2 l= 72 prim: UTF8STRING :bacon<br> 422:d=2 hl=4 l= 290 cons: SEQUENCE <br> 426:d=3 hl=2 l= 13 cons: SEQUENCE <br> 428:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption<br> 439:d=4 hl=2 l= 0 prim: NULL <br> 441:d=3 hl=4 l= 271 prim: BIT STRING <br> 716:d=2 hl=4 l= 622 cons: cont [ 3 ] <br> 720:d=3 hl=4 l= 618 cons: SEQUENCE <br> 724:d=4 hl=2 l= 29 cons: SEQUENCE <br> 726:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage<br> 731:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:301406082B0601050507030206082B06010505070304<br> 755:d=4 hl=2 l= 31 cons: SEQUENCE <br> 757:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier<br> 762:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:XXX<br> 788:d=4 hl=2 l= 126 cons: SEQUENCE <br> 790:d=5 hl=2 l= 5 prim: OBJECT :Professional Information or basis for Admission<br> 797:d=5 hl=2 l= 117 prim: OCTET STRING [HEX DUMP]:3073A4333031310B300906035504061302444531223020060355040A0C1941706F7468656B65726B616D6D6572204E6F7264726865696E303C303A30383036300F0C0D41706F7468656B65722F2D696E300906072A8214004C04201318332D31302E332E323135343131313038332E31302E323234<br> 916:d=4 hl=2 l= 59 cons: SEQUENCE <br> 918:d=5 hl=2 l= 8 prim: OBJECT :Authority Information Access<br> 928:d=5 hl=2 l= 47 prim: OCTET STRING [HEX DUMP]:XXX<br> 977:d=4 hl=2 l= 116 cons: SEQUENCE <br> 979:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies<br> 984:d=5 hl=2 l= 109 prim: OCTET STRING [HEX DUMP]:306B305E06082A8214004C0481113052305006082B06010505070201164468747470733A2F2F7777772E616264612E64652F7468656D656E2F706F736974696F6E656E2D756E642D696E69746961746976656E2F74656C656D6174696B2F6862612F300906072A8214004C044B<br> 1095:d=4 hl=3 l= 137 cons: SEQUENCE <br> 1098:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points<br> 1103:d=5 hl=3 l= 129 prim: OCTET STRING [HEX DUMP]:XXX<br> 1235:d=4 hl=2 l= 29 cons: SEQUENCE <br> 1237:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier<br> 1242:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:XXX<br> 1266:d=4 hl=2 l= 14 cons: SEQUENCE <br> 1268:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage<br> 1273:d=5 hl=2 l= 1 prim: BOOLEAN :255<br> 1276:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030205A0<br> 1282:d=4 hl=2 l= 44 cons: SEQUENCE <br> 1284:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name<br> 1289:d=5 hl=2 l= 37 prim: OCTET STRING [HEX DUMP]:XXX<br> 1328:d=4 hl=2 l= 12 cons: SEQUENCE <br> 1330:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints<br> 1335:d=5 hl=2 l= 1 prim: BOOLEAN :255<br> 1338:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000<br> 1342:d=1 hl=2 l= 13 cons: SEQUENCE <br> 1344:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption<br> 1355:d=2 hl=2 l= 0 prim: NULL <br> 1357:d=1 hl=4 l= 257 prim: BIT STRING <br>``` </div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Mi., 30. Okt. 2024 um 04:06 Uhr schrieb Robert Moskowitz <<a href="mailto:rgm@htt-consult.com">rgm@htt-consult.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Can you do a print out of such a cert with say:<br>
<br>
openssl x509 -in whatever.pem -text -noout<br>
<br>
?<br>
<br>
And perhaps an ASN.1 dump:<br>
<br>
<br>
openssl asn1parse -i -in whatever.pem<br>
<br>
I am curious as to what this extension looks like. It is not in rfc5280 <br>
and wonder if it was ever published in an rfc (which is the common <br>
practice when pushing a new extension for common use).<br>
<br>
BTW, I worked in the IETF PKIX workgroup back in the day...<br>
<br>
On 10/29/24 22:28, Paul Kehrer via Cryptography-dev wrote:<br>
> Is there a published spec that defines the ASN.1 syntax for these <br>
> extensions (maybe from BSI)? We generally like to have a specification <br>
> that we can use as a source of truth. For x509 I don’t have any <br>
> objection to adding this assuming a spec exists.<br>
><br>
> -Paul<br>
><br>
>> On Oct 29, 2024, at 6:54 PM, Oleg Höfling via Cryptography-dev <br>
>> <<a href="mailto:cryptography-dev@python.org" target="_blank">cryptography-dev@python.org</a>> wrote:<br>
>><br>
>> <br>
>> Dear devs,<br>
>><br>
>> there is an X509 extension named `Admissions`, supported e.g. by <br>
>> OpenSSL (<a href="https://docs.openssl.org/master/man3/ADMISSIONS/" rel="noreferrer" target="_blank">https://docs.openssl.org/master/man3/ADMISSIONS/</a>) and <br>
>> BouncyCastle <br>
>> (<a href="https://people.eecs.berkeley.edu/~jonah/bc/index.html?org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.html" rel="noreferrer" target="_blank">https://people.eecs.berkeley.edu/~jonah/bc/index.html?org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.html</a>). <br>
>> Would you be interested in `cryptography` supporting it as well? This <br>
>> is an extension that is used in german public healthcare and legal <br>
>> sectors, and I am working for one of them :-) I really enjoy working <br>
>> with `cryptography` for reading out and persisting X509 certificates, <br>
>> but dealing with the `Admissions` extension requires me adding extra <br>
>> dependencies and writing extra code using other libraries I do not <br>
>> enjoy this much.<br>
>><br>
>> If you agree that it could be a viable addition to the project, I <br>
>> would gladly contribute the necessary bits myself. I made a <br>
>> proof-of-concept implementation for the Admissions extension in my <br>
>> fork of `cryptography` to have something to discuss:<br>
>><br>
>> <a href="https://github.com/pyca/cryptography/compare/main...hoefling:cryptography:admission-extension?expand=1" rel="noreferrer" target="_blank">https://github.com/pyca/cryptography/compare/main...hoefling:cryptography:admission-extension?expand=1</a><br>
>><br>
>> Example script that creates a certificate with an admission extension <br>
>> that has some dummy values: <br>
>> <a href="https://gist.github.com/hoefling/fa290eb33b24a2e5405cf9cdeeda03bc" rel="noreferrer" target="_blank">https://gist.github.com/hoefling/fa290eb33b24a2e5405cf9cdeeda03bc</a><br>
>><br>
>> Of course, this is far from the state where it can be reviewed, <br>
>> should be split into smaller patches, is missing tests and docs etc etc.<br>
>><br>
>> If you reject the idea, I would try and put the code in a separate <br>
>> library that depends on `cryptography` and connect them together <br>
>> somehow. I would be grateful for any advices on that matter - maybe <br>
>> you already had a case with a third party extension for <br>
>> `cryptography` being built.<br>
>><br>
>> Last but not least - I really enjoyed hacking the working prototype <br>
>> together and fiddling with the Rust backend, kudos for having such a <br>
>> clear and concise API design!<br>
>><br>
>> Kind regards,<br>
>><br>
>> Oleg<br>
>> _______________________________________________<br>
>> Cryptography-dev mailing list<br>
>> <a href="mailto:Cryptography-dev@python.org" target="_blank">Cryptography-dev@python.org</a><br>
>> <a href="https://mail.python.org/mailman/listinfo/cryptography-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/cryptography-dev</a><br>
><br>
> _______________________________________________<br>
> Cryptography-dev mailing list<br>
> <a href="mailto:Cryptography-dev@python.org" target="_blank">Cryptography-dev@python.org</a><br>
> <a href="https://mail.python.org/mailman/listinfo/cryptography-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/cryptography-dev</a><br>
<br>
_______________________________________________<br>
Cryptography-dev mailing list<br>
<a href="mailto:Cryptography-dev@python.org" target="_blank">Cryptography-dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/cryptography-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/cryptography-dev</a><br>
</blockquote></div>