Re: Including custom X.509 extension upon proxy renewal

[Christopher Kunz <kunz@rvs.uni-hannover.de>]

Jim Basney schrieb:
> Yes: globus_gsi_proxy_handle_get_req() and
>      globus_gsi_proxy_handle_set_req().

Yup, I found that too. I'm currently trying to get the request just before
signing but the result is not quite what I am looking for...? The code is as
follows (very simple, 3 lines of context above and beyond my code):
	[...]
        verror_put_string("Failed dumping proxy certificate to buffer
(BIO_write() failed)");
        ssl_error_to_verror();
        goto error;
    }
        X509_REQ *req;
        local_result = globus_gsi_proxy_handle_get_req(proxy_handle, req);
        if (local_result == GLOBUS_SUCCESS) {
        FILE *fp = fopen("/tmp/req","w");
        PEM_write_X509_REQ(fp, req);
        fclose(fp);
        }
   /* sign request and write out proxy certificate to bio */
    local_result = globus_gsi_proxy_sign_req(proxy_handle, cred_handle, bio);
    if (local_result != GLOBUS_SUCCESS) {
	[...]
The resulting request looks a bit, uhm, weird...:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=NULL SUBJECT NAME ENTRY
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ee:48:97:36:c6:57:d0:10:e1:9b:bd:f5:0f:29:
                    40:93:58:17:3f:ad:a9:00:e8:f9:07:d2:9e:5c:f9:
                    41:6b:d6:fc:58:2d:d6:f7:d1:93:8c:4a:f1:81:d3:
                    a4:ef:1e:2d:a0:08:89:c3:73:da:24:00:1c:9b:76:
                    d0:30:e1:43:9f:a4:e3:d5:5d:b0:e9:ec:cf:64:f0:
                    95:83:92:f8:bd:09:ea:ae:81:9e:ad:f2:11:09:15:
                    71:90:0a:44:06:50:58:13:1d:4d:7a:20:db:a8:67:
                    21:22:10:19:a5:73:e4:1b:71:91:ee:dd:f3:9d:2b:
                    f3:2c:e4:27:7f:e7:b8:b8:dd
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            1.3.6.1.4.1.3536.1.222: critical
                0.0
..+.......
    Signature Algorithm: md5WithRSAEncryption
        05:1e:6f:ce:fa:42:d5:33:32:f8:8c:05:ae:b2:c2:87:af:1b:
        8a:3b:60:40:d4:f9:d5:7e:9b:dd:47:03:2a:95:a6:0b:c2:ba:
        0a:cb:2c:4f:9f:cd:b8:7a:da:3d:85:c5:29:36:57:26:2f:9d:
        57:6a:61:7d:fd:79:8f:33:e0:84:19:33:1c:38:c5:61:3d:37:
        7b:ed:4d:ac:b6:02:06:d6:6f:87:e0:ac:7f:02:fa:f0:30:08:
        fc:b8:e7:51:4b:f7:a5:e5:6c:60:98:bc:4c:f0:22:7b:8f:04:
        ab:7d:d8:e4:24:68:c4:61:2f:06:e1:17:17:c8:ec:b8:b1:2c:
        ff:29

Looks like the request is not actually filled with parameters yet. What is my
mistake here?

--ck