PKCS10/pkix1explict: adding PKCS#9 OIDs

Attribute types for use in PKCS #10 certificate requests as specified
in PKCS#9 / RFC 2985

A CSR including one of the PKCS#9 OIDs, SubjectAltNames within an
pkcs-9-at-extensionRequest, can be generated with the following OpenSSL command
line on most Linux systems:

openssl req -new -sha256 -nodes -keyout domain.key \
            -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" \
            -reqexts SAN -config \
            <(cat /etc/ssl/openssl.cnf \
            <(printf "\n[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) \
            -out attr_with_san.csr

Change-Id: I5ae4bd782003c65286bbebf41b96d142e4e99a60
Reviewed-on: https://code.wireshark.org/review/30600
Reviewed-by: Anders Broman <a.broman58@gmail.com>

epan/dissectors/asn1/pkcs10/packet-pkcs10-template.c

@@ -77,7 +77,7 @@ void proto_register_pkcs10(void) {
 void proto_reg_handoff_pkcs10(void) {
   dissector_handle_t csr_handle;
 
-/* #include "packet-pkcs10-dis-tab.c" */
+#include "packet-pkcs10-dis-tab.c"
 
   csr_handle = create_dissector_handle(dissect_CertificationRequest_PDU, proto_pkcs10);
   dissector_add_string("media_type", "application/pkcs10", csr_handle); /* RFC 5967 */

epan/dissectors/asn1/pkcs10/pkcs10.cnf

@@ -9,6 +9,10 @@ PKIX1Explicit88	pkix1explicit
 #.EXPORTS
 CertificationRequest
 
+#.REGISTER
+# From PKCS 9 / RFC 2985
+Attributes B "1.2.840.113549.1.9.9"  "pkcs-9-at-extendedCertificateAttributes"
+
 #.PDU
 CertificationRequest
 

epan/dissectors/asn1/pkix1explicit/pkix1explicit.cnf

@@ -25,6 +25,9 @@ IPAddrBlocks		B "1.3.6.1.5.5.7.1.7" "id-pe-ipAddrBlocks"
 ASIdentifiers		B "1.3.6.1.5.5.7.1.8" "id-pe-autonomousSysIds"
 # X.509v3 TLS Feature extension (RFC 7633)
 Features            B "1.3.6.1.5.5.7.1.24" "id-pe-tlsfeature"
+# From PKCS 9 / RFC 2985
+DirectoryString B "1.2.840.113549.1.9.7"  "pkcs-9-at-challengePassword"
+Extensions      B "1.2.840.113549.1.9.14" "pkcs-9-at-extensionRequest"
 
 #.PDU
 

epan/dissectors/packet-pkcs10.c

@@ -53,6 +53,7 @@ static int proto_pkcs10 = -1;
 
 /*--- Included file: packet-pkcs10-hf.c ---*/
 #line 1 "./asn1/pkcs10/packet-pkcs10-hf.c"
+static int hf_pkcs10_Attributes_PDU = -1;         /* Attributes */
 static int hf_pkcs10_CertificationRequest_PDU = -1;  /* CertificationRequest */
 static int hf_pkcs10_version = -1;                /* T_version */
 static int hf_pkcs10_subject = -1;                /* Name */
@@ -112,7 +113,7 @@ dissect_pkcs10_T_type(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _
 
 static int
 dissect_pkcs10_T_values_item(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 25 "./asn1/pkcs10/pkcs10.cnf"
+#line 29 "./asn1/pkcs10/pkcs10.cnf"
     offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
 
 
@@ -207,6 +208,13 @@ dissect_pkcs10_CertificationRequest(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
 
 /*--- PDUs ---*/
 
+static int dissect_Attributes_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) {
+  int offset = 0;
+  asn1_ctx_t asn1_ctx;
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+  offset = dissect_pkcs10_Attributes(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkcs10_Attributes_PDU);
+  return offset;
+}
 static int dissect_CertificationRequest_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) {
   int offset = 0;
   asn1_ctx_t asn1_ctx;
@@ -227,6 +235,10 @@ void proto_register_pkcs10(void) {
 
 /*--- Included file: packet-pkcs10-hfarr.c ---*/
 #line 1 "./asn1/pkcs10/packet-pkcs10-hfarr.c"
+    { &hf_pkcs10_Attributes_PDU,
+      { "Attributes", "pkcs10.Attributes",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        NULL, HFILL }},
     { &hf_pkcs10_CertificationRequest_PDU,
       { "CertificationRequest", "pkcs10.CertificationRequest_element",
         FT_NONE, BASE_NONE, NULL, 0,
@@ -311,7 +323,14 @@ void proto_register_pkcs10(void) {
 void proto_reg_handoff_pkcs10(void) {
   dissector_handle_t csr_handle;
 
-/* #include "packet-pkcs10-dis-tab.c" */
+
+/*--- Included file: packet-pkcs10-dis-tab.c ---*/
+#line 1 "./asn1/pkcs10/packet-pkcs10-dis-tab.c"
+  register_ber_oid_dissector("1.2.840.113549.1.9.9", dissect_Attributes_PDU, proto_pkcs10, "pkcs-9-at-extendedCertificateAttributes");
+
+
+/*--- End of included file: packet-pkcs10-dis-tab.c ---*/
+#line 81 "./asn1/pkcs10/packet-pkcs10-template.c"
 
   csr_handle = create_dissector_handle(dissect_CertificationRequest_PDU, proto_pkcs10);
   dissector_add_string("media_type", "application/pkcs10", csr_handle); /* RFC 5967 */

epan/dissectors/packet-pkix1explicit.c

@@ -52,6 +52,7 @@ static int ett_pkix1explicit_addressFamily = -1;
 
 /*--- Included file: packet-pkix1explicit-hf.c ---*/
 #line 1 "./asn1/pkix1explicit/packet-pkix1explicit-hf.c"
+static int hf_pkix1explicit_Extensions_PDU = -1;  /* Extensions */
 static int hf_pkix1explicit_DomainParameters_PDU = -1;  /* DomainParameters */
 static int hf_pkix1explicit_DirectoryString_PDU = -1;  /* DirectoryString */
 static int hf_pkix1explicit_Features_PDU = -1;    /* Features */
@@ -256,7 +257,7 @@ dissect_pkix1explicit_Time(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 static int
 dissect_pkix1explicit_T_extnId(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 60 "./asn1/pkix1explicit/pkix1explicit.cnf"
+#line 63 "./asn1/pkix1explicit/pkix1explicit.cnf"
   offset = dissect_ber_object_identifier_str(implicit_tag, actx, tree, tvb, offset, hf_pkix1explicit_object_identifier_id, &actx->external.direct_reference);
 
   actx->external.direct_ref_present = (actx->external.direct_reference != NULL) ? TRUE : FALSE;
@@ -279,7 +280,7 @@ dissect_pkix1explicit_BOOLEAN(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 
 static int
 dissect_pkix1explicit_T_extnValue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 64 "./asn1/pkix1explicit/pkix1explicit.cnf"
+#line 67 "./asn1/pkix1explicit/pkix1explicit.cnf"
   gint8 appclass;
   gboolean pc, ind;
   gint32 tag;
@@ -393,7 +394,7 @@ dissect_pkix1explicit_OBJECT_IDENTIFIER(gboolean implicit_tag _U_, tvbuff_t *tvb
 
 static int
 dissect_pkix1explicit_T_values_item(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 44 "./asn1/pkix1explicit/pkix1explicit.cnf"
+#line 47 "./asn1/pkix1explicit/pkix1explicit.cnf"
   if (actx->external.direct_ref_present) {
     offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
   }
@@ -435,7 +436,7 @@ dissect_pkix1explicit_Attribute(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, in
 
 static int
 dissect_pkix1explicit_T_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 52 "./asn1/pkix1explicit/pkix1explicit.cnf"
+#line 55 "./asn1/pkix1explicit/pkix1explicit.cnf"
   if (actx->external.direct_ref_present) {
     offset=call_ber_oid_callback(actx->external.direct_reference, tvb, offset, actx->pinfo, tree, NULL);
   }
@@ -490,7 +491,7 @@ dissect_pkix1explicit_RDNSequence(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 
 int
 dissect_pkix1explicit_DirectoryString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 38 "./asn1/pkix1explicit/pkix1explicit.cnf"
+#line 41 "./asn1/pkix1explicit/pkix1explicit.cnf"
 	offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
 
 
@@ -561,7 +562,7 @@ dissect_pkix1explicit_Features(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 
 static int
 dissect_pkix1explicit_T_addressFamily(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 78 "./asn1/pkix1explicit/pkix1explicit.cnf"
+#line 81 "./asn1/pkix1explicit/pkix1explicit.cnf"
 	tvbuff_t	*parameter_tvb;
 	proto_tree *subtree;
 
@@ -800,6 +801,13 @@ dissect_pkix1explicit_ASIdentifiers(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
 
 /*--- PDUs ---*/
 
+static int dissect_Extensions_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) {
+  int offset = 0;
+  asn1_ctx_t asn1_ctx;
+  asn1_ctx_init(&asn1_ctx, ASN1_ENC_BER, TRUE, pinfo);
+  offset = dissect_pkix1explicit_Extensions(FALSE, tvb, offset, &asn1_ctx, tree, hf_pkix1explicit_Extensions_PDU);
+  return offset;
+}
 static int dissect_DomainParameters_PDU(tvbuff_t *tvb _U_, packet_info *pinfo _U_, proto_tree *tree _U_, void *data _U_) {
   int offset = 0;
   asn1_ctx_t asn1_ctx;
@@ -860,6 +868,10 @@ void proto_register_pkix1explicit(void) {
 
 /*--- Included file: packet-pkix1explicit-hfarr.c ---*/
 #line 1 "./asn1/pkix1explicit/packet-pkix1explicit-hfarr.c"
+    { &hf_pkix1explicit_Extensions_PDU,
+      { "Extensions", "pkix1explicit.Extensions",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        NULL, HFILL }},
     { &hf_pkix1explicit_DomainParameters_PDU,
       { "DomainParameters", "pkix1explicit.DomainParameters_element",
         FT_NONE, BASE_NONE, NULL, 0,
@@ -1101,6 +1113,8 @@ void proto_reg_handoff_pkix1explicit(void) {
   register_ber_oid_dissector("1.3.6.1.5.5.7.1.7", dissect_IPAddrBlocks_PDU, proto_pkix1explicit, "id-pe-ipAddrBlocks");
   register_ber_oid_dissector("1.3.6.1.5.5.7.1.8", dissect_ASIdentifiers_PDU, proto_pkix1explicit, "id-pe-autonomousSysIds");
   register_ber_oid_dissector("1.3.6.1.5.5.7.1.24", dissect_Features_PDU, proto_pkix1explicit, "id-pe-tlsfeature");
+  register_ber_oid_dissector("1.2.840.113549.1.9.7", dissect_DirectoryString_PDU, proto_pkix1explicit, "pkcs-9-at-challengePassword");
+  register_ber_oid_dissector("1.2.840.113549.1.9.14", dissect_Extensions_PDU, proto_pkix1explicit, "pkcs-9-at-extensionRequest");
 
 
 /*--- End of included file: packet-pkix1explicit-dis-tab.c ---*/