z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Forming the CustomExt value for CertPlist for the R_PKIServ callable service

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

The INSERT or JSP code that you write for a custom extension has to be able to call the R_PKIServ callable service with a properly-formed CustomExt value for the CertPlist parameter list. The CustomExt CertPlist entry is a comma-separated 4-part string with a maximum length of 1024 bytes:
  1. The first part is the OID of the extension.
  2. The second part is the critical flag:
    • C or c indicates critical
    • N or n indicates non-critical
  3. The third part is the encode type:
    • INT indicates integer
    • IA5 indicates IA5 string
    • PRT indicates printable string
    • BMP indicates BMP string
    • OCT indicates octet string
    • UTF indicates UTF string
  4. The fourth part is the value.
For example, given the following ASN.1 notation for an x.509 extension:
Extension :: = SEQUENCE {
	extnID	OBJECT IDENTIFIER,
	critical	BOOLEAN DEFAULT FALSE,
	extnValue	OCTET STRING
}
and the following definition of an ASN.1 custom extension:
SEQUENCE {                    
. OBJECT IDENTIFIER '1 2 3 4' 
. OCTET STRING, encapsulates {
. . INTEGER 240               
. . }                         
. }
the CustomExt value to produce this would be:
1.2.3.4,N,INT,F0
Rules: The OID value must follow these rules:
  • Its length must not exceed 64 characters.
  • It must be comprised of decimal digits and the dot (period) character).
  • It cannot start or end with a dot (period) character and cannot contain adjacent dots.
  • The first integer value must be 0, 1, or 2. If the first integer is 0 or 1, the second integer must not be greater than 39.
  • It must contain a minimum of 3 dot-separated segments (for example 1.2.3).
  • The value of the first segment must be 0, 1, or 2. If the first integer is 0 or 1, the second integer must not be greater than 39.
  • The largest integer value for all segments after the second segment is the largest 31-bit integer value: 2 147 483 647.
Rules: The critical flag must follow these rules:
  • Only mark an extension critical if all applications that will use the certificate know and understand the extension. Applications that do not know and understand an extension that is marked critical are required to deny the use of the certificate.
  • Do not mark an extension critical if PKI Services creates the public and private keys for the certificate.
Rules: The encoding types and values must follow these rules:
  • The INT encoding type indicates that the extension value encapsulated in the extension value's octet string is a primitive integer type.
  • Because the INTEGER type in the ASN.1 specification is not limited to fit in a 4-byte construct, the value specified for INT is a hexadecimal string rather than decimal. If the specified hexadecimal string for an INTEGER type contains an odd number of characters, the high-order bit of the first character is propagated in the encoded value. For example, if the CustomExt value is 12.3.4,N,INT,800, because there are only 3 characters in 800, and the high-order of the first character is on, the encoded value is F800 in hexadecimal, or -2048 decimal.
  • The PRT encoding type indicates that the extension value encapsulated in the extension value's octet string is a primitive printableString type. The characters specified in the CustomExt value must conform to the PrintableString character set, which is a subset of the 7-bit ASCII or IA5 character set.
  • The IA5 encoding type indicates that the extension value encapsulated in the extension value's octet string is a primitive IA5String type. The characters specified in the CustomExt value must conform to the IA5String character set. Control characters that part of the IA5 character set are not allowed.
  • THE UTF encoding type indicates that the extension value encapsulated in the extension value's octet string is a primitive UTF8String type. The characters specified in the CustomExt value must conform to the Basic Latin and Latin-1 characters with the exception of control characters. To encode a UTF8String extension value with characters that fall outside the range supported, you must use the OCT encoding type.
  • The BMP encoding type indicates that the extension value encapsulated in the extension value's octet string is a primitive BMPString type. The characters specified in the CustomExt value must conform to the Basic Latin and Latin-1 characters with the exception of control characters. To encode a BMPString extension value with characters that fall outside the range supported, you must use the OCT encoding type.
  • The OCT encoding type indicates that the extension value specified in the CustomExt value is the extension's octet string value. You must specify an even number of printable hexadecimal characters, and the OctetString value should not include the tag and length bytes for the OctetString.
Example: You want to build a custom extension whose extnID is 1.2.3.4, is not marked critical, and has an extnValue composed of a SEQUENCE containing an INTEGER value of 1024 (decimal) followed by a UTF-8 string with the value "AB£¬¥YZ". The ASN.1 definition is:
SEQUENCE { 
. OBJECT IDENTIFIER '1 2 3 4' 
. OCTET STRING, encapsulates {
. . SEQUENCE { 
. . . INTEGER 1024 
. . . UTF8String 'AB£¬¥YZ' 
. . . } 
. . } 
. }
Use the following value for CustomExt:
CustomExt=1.2.3.4,N,OCT,3010020204000C0A4142C2A3C2ACC2A5595A
For the OCT value:
3010 = SEQUENCE(0x30) of length 0x10
02020400 = INTEGER(0x02) of length 0x02, value 0x0400 = 1024 decimal
0C0A4142C2A3C2ACC2A5595A = UTF8String(0x0C) of length 0x0A, 
    value = 41(A) 42(B) C2A3(£) C2AC(¬) C2A5(¥) 59(Y) 5A(Z)
Parent topic: Adding custom extensions to certificates

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014