1.OU or OU.1 ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

1.OU or OU.1 ?

OpenSSL - User mailing list

The doc/man5/config.pod file says to use

                1.OU = “My first OU”

                2.OU = “My second OU”

 

But doc/man5/x509v3_config.pod says to append the numeric, as in

                email.1 = steve@here

                email.2 = steve@there

 

I believe the second form is correct.  Can anyone confirm?

 

Reply | Threaded
Open this post in threaded view
|

Re: 1.OU or OU.1 ?

Dirk-Willem van Gulik


> On 20 Mar 2020, at 22:12, Salz, Rich via openssl-users <[hidden email]> wrote:
>
> The doc/man5/config.pod file says to use
>                 1.OU = “My first OU”
>                 2.OU = “My second OU”
>  
> But doc/man5/x509v3_config.pod says to append the numeric, as in
>                 email.1 = steve@here
>                 email.2 = steve@there
>  
> I believe the second form is correct.  Can anyone confirm?

AFAIK: Either simply like (e.g. in an extension file):

         subjectAltName=email:foo@x,email:bar@x

or more listed like your second form:

        [ v3_req ]
        subjectAltName = @extrabits

        [ extrabits ]
        email.1=foo
        email.2=foo

or straight (ordered) directly:

        openssl req -x509 -subj /CN=foo/CN=bar -keyout /dev/null -nodes| openssl x509 -noout -subject  

Dw.



Reply | Threaded
Open this post in threaded view
|

Re: 1.OU or OU.1 ?

Richard Levitte - VMS Whacker-2
In reply to this post by OpenSSL - User mailing list
The correct answer is, it depends.  This is an unfortunate
evolutionary artefact, and is governed by very different pieces of
code.

The config.pod example revolves around subject names and the config
for 'openssl req'.  The code that uses this is the function
auto_info(), found in apps/req.c.

The x509v3_config.pod example revolves around X.509 v3 extensions, and
the config for those is used by diverse functions in crypto/x509v3/
(1.1.1) or crypto/x509/ (masterand upcoming 3.0), and ultimately, the
key name comparison is done by name_cmp(), found in v3_utl.c.

So both manuals are correct.  Unfortunately...

Cheers,
Richard

On Fri, 20 Mar 2020 22:12:08 +0100,
Salz, Rich via openssl-users wrote:

>
>
> The doc/man5/config.pod file says to use
>
>                 1.OU = “My first OU”
>
>                 2.OU = “My second OU”
>
> But doc/man5/x509v3_config.pod says to append the numeric, as in
>
>                 email.1 = steve@here
>
>                 email.2 = steve@there
>
> I believe the second form is correct.  Can anyone confirm?
>
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: 1.OU or OU.1 ?

OpenSSL - User mailing list
Argh.  Thanks for the detailed explanation.

It seems to me that if I add suffixes ".nnn" support to auto_info() than we can move xxx.field to deprecated at some point?

On 3/20/20, 10:45 PM, "Richard Levitte" <[hidden email]> wrote:

    The correct answer is, it depends.  This is an unfortunate
    evolutionary artefact, and is governed by very different pieces of
    code.
   
    The config.pod example revolves around subject names and the config
    for 'openssl req'.  The code that uses this is the function
    auto_info(), found in apps/req.c.
   
    The x509v3_config.pod example revolves around X.509 v3 extensions, and
    the config for those is used by diverse functions in crypto/x509v3/
    (1.1.1) or crypto/x509/ (masterand upcoming 3.0), and ultimately, the
    key name comparison is done by name_cmp(), found in v3_utl.c.
   
    So both manuals are correct.  Unfortunately...
   
    Cheers,
    Richard
   
    On Fri, 20 Mar 2020 22:12:08 +0100,
    Salz, Rich via openssl-users wrote:
    >
    >
    > The doc/man5/config.pod file says to use
    >
    >                 1.OU = “My first OU”
    >
    >                 2.OU = “My second OU”
    >
    > But doc/man5/x509v3_config.pod says to append the numeric, as in
    >
    >                 email.1 = steve@here
    >
    >                 email.2 = steve@there
    >
    > I believe the second form is correct.  Can anyone confirm?
    >
    >
    --
    Richard Levitte         [hidden email]
    OpenSSL Project         http://www.openssl.org/~levitte/
   

Reply | Threaded
Open this post in threaded view
|

Re: 1.OU or OU.1 ?

OpenSSL - User mailing list
Just to close the loop:  I decided better documentation is the only answer for now: https://github.com/openssl/openssl/pull/11431

I'll copy the info below into a new issue.

On 3/21/20, 9:47 AM, "Salz, Rich via openssl-users" <[hidden email]> wrote:

    Argh.  Thanks for the detailed explanation.
   
    It seems to me that if I add suffixes ".nnn" support to auto_info() than we can move xxx.field to deprecated at some point?
   
    On 3/20/20, 10:45 PM, "Richard Levitte" <[hidden email]> wrote:
   
        The correct answer is, it depends.  This is an unfortunate
        evolutionary artefact, and is governed by very different pieces of
        code.
       
        The config.pod example revolves around subject names and the config
        for 'openssl req'.  The code that uses this is the function
        auto_info(), found in apps/req.c.
       
        The x509v3_config.pod example revolves around X.509 v3 extensions, and
        the config for those is used by diverse functions in crypto/x509v3/
        (1.1.1) or crypto/x509/ (masterand upcoming 3.0), and ultimately, the
        key name comparison is done by name_cmp(), found in v3_utl.c.
       
        So both manuals are correct.  Unfortunately...
       
        Cheers,
        Richard
       
        On Fri, 20 Mar 2020 22:12:08 +0100,
        Salz, Rich via openssl-users wrote:
        >
        >
        > The doc/man5/config.pod file says to use
        >
        >                 1.OU = “My first OU”
        >
        >                 2.OU = “My second OU”
        >
        > But doc/man5/x509v3_config.pod says to append the numeric, as in
        >
        >                 email.1 = steve@here
        >
        >                 email.2 = steve@there
        >
        > I believe the second form is correct.  Can anyone confirm?
        >
        >
        --
        Richard Levitte         [hidden email]
        OpenSSL Project         http://www.openssl.org/~levitte/