[Cryptography-dev] SCEP OID support

Micah Baker hacim.rekab at gmail.com
Mon Oct 5 02:03:50 CEST 2015 

Hi Paul,

SCEP requires a senderNonce and transactionID to be returned to the client requesting the certificate. Those two values are included in the signed message the client sends to the server, and then the server must take the two values and include them in the response to the client or the client is supposed to reject the response. This is not just adding an OID for a capability, it’s also adding a value to the OID which must be included in the signed response. Does  x509.ObjectIdentifier allow something to the effect of 1.2.3.4=some random bytes or text?

Thanks,

Micah

> On Oct 4, 2015, at 4:59 PM, Paul Kehrer <paul.l.kehrer at gmail.com> wrote:
> 
> Micah,
> 
> You can define any OID you want just by passing a string of the dotted value of the OID to the constructor of x509.ObjectIdentifier. You won't get the human readable name, but that's not a big deal. However, that class is really just a convenience and doesn't have any behavior so I'm not sure what benefit it would be to you when implementing SCEP. Could you elaborate a bit on what you're trying to do?
> 
> 
> -Paul (reaperhulk)
> 
> On October 4, 2015 at 6:33:57 PM, Micah Baker (hacim.rekab at gmail.com <mailto:hacim.rekab at gmail.com>) wrote:
> 
>> I’m attempting to build a SCEP server using cryptography and don’t see a way to add OIDs not already defined by the module. If it is not possible to use other real OIDs, can we add the half-dozen SCEP OIDs to cryptography? The OIDs can be found here: https://tools.ietf.org/html/draft-gutmann-scep-01#page-17 <https://tools.ietf.org/html/draft-gutmann-scep-01#page-17>. If someone is willing to give me some pointers I could try to write a patch for this, assuming it’s just a table of supported OIDs somewhere.
>> _______________________________________________ 
>> Cryptography-dev mailing list 
>> Cryptography-dev at python.org <mailto:Cryptography-dev at python.org> 
>> https://mail.python.org/mailman/listinfo/cryptography-dev <https://mail.python.org/mailman/listinfo/cryptography-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20151004/bc51c093/attachment.html>

More information about the Cryptography-dev mailing list