Create arbitrary X509 extensions with M2Crypto

Question

I'm interested in creating a CSR that contains arbitrary extensions, specified by an OID. Ideally, I'd like the value to be an ASN1-encoded entity, though setting it to a string is enough.

Various online examples point to code such as this:

extensionStack = X509.X509_Extension_Stack()
extension = X509.new_extension('subjectAltName', 'DNS:example.com')
extensionStack.push(extension)
request.add_extensions(extensionStack)

The extension is created from a predefined name like subjectAltName, which is then mapped to the right OID. Apparently, these strings are defined in objects.txt, and there's no way to add your own, except by recompiling OpenSSL.

The documentation says that custom X509 extensions can be added by editing openssl.cnf. However, my understanding is that this will affect only operations that invoke OpenSSL from the command line.

How to do the same with M2Crypto? In other words, how to make it work more or less like this?

X509.new_extension('OID:1.2.3.4.5.42', 'test')
#or this
X509.new_extension('OID:1.2.3.4.5.42', '0x1E4...819')

Answer 1

You almost have it:

ext = X509.new_extension('1.2.3.4', 
                         'ASN1:UTF8String:Some random data')
# If required: ext.set_critical(1)
cert.add_ext(ext)

It will appear in the OpenSSL dump:

                1a:91:ca:bf:aa:ba:3b:49:57
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Subject Alternative Name: 
            DNS:foobar.example.com
        1.2.3.4: 
            ..Some random data
Signature Algorithm: sha1WithRSAEncryption
    18:24:4c:42:fe:7c:71:a6:58:ed:be:9d:2e:9e:ea:a7:80:0f:

Unfortunately, M2Crypto has a problem retrieving custom extensions unless they were to be registered first, and those functions aren't currently exposed through M2Crypto. The name and value will come back as "UNDEF" and "None", respectively.