The INSERT or JSP code that you write for a custom extension has
to be able to call the R_PKIServ callable service with a properly-formed
CustomExt value
for the
CertPlist parameter list. The
CustomExt CertPlist entry
is a comma-separated 4-part string with a maximum length of 1024 bytes:
- The first part is the OID of the extension.
- The second part is the critical flag:
- C or c indicates critical
- N or n indicates non-critical
- The third part is the encode type:
- INT indicates integer
- IA5 indicates IA5 string
- PRT indicates printable string
- BMP indicates BMP string
- OCT indicates octet string
- UTF indicates UTF string
- The fourth part is the value.
For example, given the following ASN.1 notation for an x.509 extension:
Extension :: = SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
}
and the following definition of an ASN.1 custom extension:
SEQUENCE {
. OBJECT IDENTIFIER '1 2 3 4'
. OCTET STRING, encapsulates {
. . INTEGER 240
. . }
. }
the
CustomExt value to produce this
would be:
1.2.3.4,N,INT,F0
Rules: The OID value must follow these rules:
- Its length must not exceed 64 characters.
- It must be comprised of decimal digits and the dot (period) character).
- It cannot start or end with a dot (period) character and cannot
contain adjacent dots.
- The first integer value must be 0, 1, or 2. If the first integer
is 0 or 1, the second integer must not be greater than 39.
- It must contain a minimum of 3 dot-separated segments (for example
1.2.3).
- The value of the first segment must be 0, 1, or 2. If the first
integer is 0 or 1, the second integer must not be greater than 39.
- The largest integer value for all segments after the second segment
is the largest 31-bit integer value: 2 147 483 647.
Rules: The critical flag must follow these rules:
- Only mark an extension critical if all applications that will
use the certificate know and understand the extension. Applications
that do not know and understand an extension that is marked critical
are required to deny the use of the certificate.
- Do not mark an extension critical if PKI Services creates the
public and private keys for the certificate.
Rules: The encoding types and values must follow these rules:
- The INT encoding type indicates that the extension value encapsulated
in the extension value's octet string is a primitive integer type.
- Because the INTEGER type in the ASN.1 specification is not limited
to fit in a 4-byte construct, the value specified for INT is a hexadecimal
string rather than decimal. If the specified hexadecimal string for
an INTEGER type contains an odd number of characters, the high-order
bit of the first character is propagated in the encoded value. For
example, if the CustomExt value is 12.3.4,N,INT,800,
because there are only 3 characters in 800, and the high-order of
the first character is on, the encoded value is F800 in hexadecimal,
or -2048 decimal.
- The PRT encoding type indicates that the extension value encapsulated
in the extension value's octet string is a primitive printableString type.
The characters specified in the CustomExt value must
conform to the PrintableString character set, which
is a subset of the 7-bit ASCII or IA5 character set.
- The IA5 encoding type indicates that the extension value encapsulated
in the extension value's octet string is a primitive IA5String type.
The characters specified in the CustomExt value must
conform to the IA5String character set. Control characters that part
of the IA5 character set are not allowed.
- THE UTF encoding type indicates that the extension value encapsulated
in the extension value's octet string is a primitive UTF8String type.
The characters specified in the CustomExt value must
conform to the Basic Latin and Latin-1 characters with the exception
of control characters. To encode a UTF8String extension
value with characters that fall outside the range supported, you must
use the OCT encoding type.
- The BMP encoding type indicates that the extension value encapsulated
in the extension value's octet string is a primitive BMPString type.
The characters specified in the CustomExt value must
conform to the Basic Latin and Latin-1 characters with the exception
of control characters. To encode a BMPString extension
value with characters that fall outside the range supported, you must
use the OCT encoding type.
- The OCT encoding type indicates that the extension value specified
in the CustomExt value is the extension's octet string
value. You must specify an even number of printable hexadecimal characters,
and the OctetString value should not include the
tag and length bytes for the OctetString.
Example: You want to build a custom extension whose
extnID is
1.2.3.4, is not marked critical, and has an
extnValue composed
of a SEQUENCE containing an INTEGER value of 1024 (decimal) followed
by a UTF-8 string with the value
"AB£¬¥YZ". The ASN.1 definition
is:
SEQUENCE {
. OBJECT IDENTIFIER '1 2 3 4'
. OCTET STRING, encapsulates {
. . SEQUENCE {
. . . INTEGER 1024
. . . UTF8String 'AB£¬¥YZ'
. . . }
. . }
. }
Use the following value for
CustomExt:
CustomExt=1.2.3.4,N,OCT,3010020204000C0A4142C2A3C2ACC2A5595A
For
the OCT value:
3010 = SEQUENCE(0x30) of length 0x10
02020400 = INTEGER(0x02) of length 0x02, value 0x0400 = 1024 decimal
0C0A4142C2A3C2ACC2A5595A = UTF8String(0x0C) of length 0x0A,
value = 41(A) 42(B) C2A3(£) C2AC(¬) C2A5(¥) 59(Y) 5A(Z)