In connection with the order of the Federal Security Service N795 of December 27, 2011 (clause 29), you must add the subjectSignTool extension (OID: 1.2.643.100.111) of the type UTF8String SIZE (1..200) to the certificate. I add the extension through the addExtentionToRequest method, pre-coding the data in ASN.1 and BASE64 in a similar way:
char extensionValue[] = "test"; CRYPT_OBJID_BLOB myBlob = { (DWORD)strlen(extensionValue), (BYTE*)extensionValue }; DWORD cbEncoded; BYTE *pbEncoded; bool checkASN1Encoding = CryptEncodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, X509_OCTET_STRING, &myBlob, 0, NULL, pbEncoded, &cbEncoded); wchar_t pszString[100]; DWORD dwLength = 100; bool checkEncodingToBase64Test = CryptBinaryToStringW(pbEncoded, cbEncoded, CRYPT_STRING_BASE64, (LPWSTR)pszString, &dwLength); BSTR bstrValue = pszString; BSTR bstrName = SysAllocString(L"1.2.643.100.111"); HRESULT checkAddingExtention = pEnroll->addExtensionToRequest(0, bstrName, bstrValue); The extension is added to the certificate request, but has the appearance Octet String:
Requested Extensions: X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, 1.2.643.2.2.34.6 X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment 1.2.643.100.111: test SEQUENCE {: OBJECT IDENTIFIER '1 2 643 100 111' OCTET STRING 74 65 73 74 56 61 6C 75 65 } And there must be something like:
SEQUENCE { OBJECT IDENTIFIER '1 2 643 100 111' OCTET STRING, encapsulates { UTF8String 'test' } } Tried to use CryptEncodeObjectEx with the 2nd parameter X509_ANY_STRING and X509_UNICODE_ANY_STRING, but without success. How can you still properly add such an extension?
