This week is the week where I try to finish up all of the basic functionalities of the application. What I had left was to figure out how to create a custom x509v3 extension with Botan C++. As recommended by Dr Shawn, I used the UserRole extension, as shown here. Creating the UserRole extension with Botan C++ involves having a self-defined class to inherit the properties of Botan’s Certificate_Extension class. Since it is an abstract class, there are some methods that my self-defined class would need to override and provide their definitions. I did not know how to make sense of these methods at first glance, and also how would I know what needs to be done in order for it to work with the Botan library? Botan does not have any official documentation on how this is done. Fortunately, Botan is an open-source library, hence I could take a peak at the source of code of other existing subclasses that inherits from that same abstract class, as implemented by the Botan developers themselves.

It turns out that not a lot of code is needed to be written for those subclasses, even though each of them represents a different x509v3 extension that the Botan library supports internally. I took some time to understand what is going on and get into their frame of mind, but in the end, it all started to make sense. After a few rounds of trial and correcting misunderstandings, I finally managed to create that extension within the x509 certificate and store whatever data is inside there. I can view its contents using the openssl x509 command in the terminal. The amount of time it took for me to do this was much shorter than expected. Of course, if I am able to write data into that certificate extension, then I should be able to read data from it as well. So again, after looking at the documentation on how to read the contents of the extensions for a certificate, the data could be read successfully and is printed out to the terminal window for verification purpose. I did all this as a separate but small C++ program to create a new certificate that has the UserRole extension using Botan’s APIs, for the purpose of experimenting. After passing all checks in the checklist, the UserRole class is then integrated into the codebase of the application.

So things came out good at that point of time. Using the remaining time I have left before the week ends, I decided to just go and test out the application further to hunt down bugs. And then suddenly, the part where the user provides an existing valid certificate in order to be revoked at the case of early renewals for their subscription fails. The failure happens during the validation of the certificate chain, which is done internally by the Wt framework. The last time when I was working on implementing the CRL, it worked. But then I realized that I was only testing for standalone individual certificates, meaning that they are not tied to an organization. I hadn’t account for individuals that belong to an organization, in which it has its own intermediate CA to issue the client certificates.

One of the necessary command line arguments to the Wt application, that is needed to do client certificate authentication, is to provide a single file consisting of a list of PEM encoded trusted CA certificates. The path validation of the certificate chain uses this file to check that the certificate provided is actually issued by us. But because I didn’t add the intermediate CA to this chain file for a organization, it throws an error thus fails. After doing so, the revocation of the client certificate happens, and the user gets redirected to the download of the new certificate as expected. This means that every time a new subscription for an organization product comes in, the newly created intermediate CA certificate needs to be added to that chain file, in order for its client certificates to be authenticated successfully by the Wt application.

I am really glad that despite all my earlier mishaps of this project, I managed to make better progress now. It really is the season to be jolly now 🎄. That is it for this week’s blog. I’ll see how things go from here on out, so stay tune for my next blog post.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.