x509 - Where is the ASN1 moduels for certificate extention

Question

I'm writing a DER parser for certificate requests in .net. I based myself on the RFC 2986 which described most of the content of the request with ASN.1 modules.

However, it don't define how is structured the extensionRequest (oid 1.2.840.113549.1.9.14). I've searched high and low but I'm not able to find another rfc or publicly available documentation which describe what structure it use, what types are expected, etc (ie, the ASN.1 module of the extensionRequest object and it's children)

Sample Der decoded :

SEQUENCE (3 elem)
  SEQUENCE (4 elem)
    INTEGER 0
    SEQUENCE (14 elem)
    SEQUENCE (2 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.1.1 rsaEncryption (PKCS #1)
        NULL
      BIT STRING (1120 bit) 001100001000000110001001000000101000000110000001000000001011111100011…
        SEQUENCE (2 elem)
          INTEGER (1024 bit) 134193393845175687447721541202995749257369077931432148182685911334902…
          INTEGER 65537
    [0] (4 elem)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.3.6.1.4.1.311.13.2.3 osVersion (Microsoft attribute)
        SET (1 elem)
          IA5String 10.0.19042.2
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.3.6.1.4.1.311.21.20 requestClientInfo (Microsoft attribute)
        SET (1 elem)
          SEQUENCE (4 elem)
            INTEGER 5
            UTF8String EDITED
            UTF8String EDITEDedited
            UTF8String MMC.EXE
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.3.6.1.4.1.311.13.2.2 enrolmentCSP (Microsoft attribute)
        SET (1 elem)
          SEQUENCE (3 elem)
            INTEGER 0
            BMPString Microsoft Software Key Storage Provider
            BIT STRING (0 bit)
      SEQUENCE (2 elem)
        OBJECT IDENTIFIER 1.2.840.113549.1.9.14 extensionRequest (PKCS #9 via CRMF)
        SET (1 elem)
       vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv This sequence vvvvvvvvvvvvvvvvvvvvvvvvv
          SEQUENCE (2 elem)
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
              OCTET STRING (153 byte) 308196A41430123110300E060355040B0C076469726E616D658204444E53318204444…
                SEQUENCE (9 elem)
                  [4] (1 elem)
                    SEQUENCE (1 elem)
                      SET (1 elem)
                        SEQUENCE (2 elem)
                          OBJECT IDENTIFIER 2.5.4.11 organizationalUnitName (X.520 DN component)
                          UTF8String dirname
                  [2] (4 byte) DNS1
                  [2] (4 byte) DNS2
                  [1] (17 byte) [email protected]
                  [0] (2 elem)
                    OBJECT IDENTIFIER 1.3.6.1.4.1.311.25.1 ntdsReplication (Microsoft)
                    [0] (1 elem)
                      OCTET STRING (16 byte) ADC5FA58160E9F4ABB154A7DCEDC00A5
                  [7] (4 byte) 7F000002
                  [7] (16 byte) 00000000000000000000000000000001
                  [6] (3 byte) url
                  [0] (2 elem)
                    OBJECT IDENTIFIER 1.3.6.1.4.1.311.20.2.3 universalPrincipalName (Microsoft UPN)
                    [0] (1 elem)
                      UTF8String userprincipalname
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.5.29.14 subjectKeyIdentifier (X.509 extension)
              OCTET STRING (20 byte) 87E201CF0B06CB290C98E7DF67796CF46AD9D507
                OCTET STRING (20 byte) 87E201CF0B06CB290C98E7DF67796CF46AD9D507
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  SEQUENCE (2 elem)
    OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)
    NULL
  BIT STRING (1024 bit) 101110000001101000110010011000110101111010001000011101110110001110000…

Do you know where I can find this info ?

question from:https://stackoverflow.com/questions/65845215/where-is-the-asn1-moduels-for-certificate-extention

Answer 1

Certificate extensions is an PKCS#9 request attribute. Specifically, extensionRequest attribute type is defined in RFC 2985 §5.4.2:

extensionRequest ATTRIBUTE ::= {
    WITH SYNTAX ExtensionRequest
    SINGLE VALUE TRUE
    ID pkcs-9-at-extensionRequest
}
ExtensionRequest ::= Extensions

and in RFC 5280 Appendix A.1:

Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

Extension  ::=  SEQUENCE  {
    extnID      OBJECT IDENTIFIER,
    critical    BOOLEAN DEFAULT FALSE,
    extnValue   OCTET STRING
                -- contains the DER encoding of an ASN.1 value
                -- corresponding to the extension type identified
                -- by extnID
}

simply, attribute value is a SEQUENCE OF Extension type.