Annoying Garbage characters in OIDs

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Annoying Garbage characters in OIDs

Johnny Gonzalez
Hello everybody,

I have a big problem when adding new OIDs, as these
are getting garbage
characters that we need to avoid in our certificates.
Could this be the way
I'm adding the OIDs? This is the entire context:

I have to add 3 new OIDs to my issued certificates, so
I added them in the
openssl.cnf config file this way:

in the new oids section I have this:

direccion = 2.5.4.9
nit = 1.3.6.1.4.1.4710.1.3.2
cedula = 1.3.6.1.4.1.4710.1.3.1

In the policy match section I have this:

direccion  = optional
cedula   = optional
nit    = optional

In the [ req_distinguished_name ] section I have this:

direccion   = Direccion
cedula    = Cedula
nit    = Nit

I guess this is ok, but after issuing my certificate,
I'm getting undesired
characters in the values of these new OIDs for
example, this certificate has
the 3 new OIDs I need, when I open the certificate in
Windows (the OS we need
to use) I get this output in the subject:

Número de serie = 9

1.3.6.1.4.1.4710.1.3.2 = 1    
<-------------------------------The 2 first
characters are garbage

1.3.6.1.4.1.4710.1.3.1 = 1    
<-------------------------------The 2 first
characters are garbage

STREET = cra 23                  
<-------------------------------The 2
first characters are garbage

CN = Prueba 1 cert

OU = Internet

O = Ubiquando

L = Bogota

S = Cundinamarca

What should I do to avoid these annoying characters in
the value of my special
OIDs??

Am I doing something wrong when I add the OIDs?

In the [ req_distinguished_name ] section I have also
done this:

direccion   = UTF8:Direccion
cedula    = UTF8:Cedula
nit    = UTF8:Nit

But this doesn't change this strange behaviour.
What do you recommend me? the requests I receive in
PEM could contain latin
characters like á, ñ, etc, but this is not the
problem.

The request are being generated with openssl and the
-utf8 option

I'm attaching my openssl.cnf file

Thanks a lot for any help,
Johnny


               
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es

openssl.cnf (13K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Dr. Stephen Henson
On Mon, Aug 01, 2005, Johnny Gonzalez wrote:

> Hello everybody,
>
> I have a big problem when adding new OIDs, as these
> are getting garbage
> characters that we need to avoid in our certificates.
> Could this be the way
> I'm adding the OIDs? This is the entire context:
>
> I have to add 3 new OIDs to my issued certificates, so
> I added them in the
> openssl.cnf config file this way:
>
> in the new oids section I have this:
>
> direccion = 2.5.4.9
> nit = 1.3.6.1.4.1.4710.1.3.2
> cedula = 1.3.6.1.4.1.4710.1.3.1
>
> In the policy match section I have this:
>
> direccion  = optional
> cedula   = optional
> nit    = optional
>
> In the [ req_distinguished_name ] section I have this:
>
> direccion   = Direccion
> cedula    = Cedula
> nit    = Nit
>
> I guess this is ok, but after issuing my certificate,
> I'm getting undesired
> characters in the values of these new OIDs for
> example, this certificate has
> the 3 new OIDs I need, when I open the certificate in
> Windows (the OS we need
> to use) I get this output in the subject:
>
> Número de serie = 9
>
> 1.3.6.1.4.1.4710.1.3.2 = 1    
> <-------------------------------The 2 first
> characters are garbage
>
> 1.3.6.1.4.1.4710.1.3.1 = 1    
> <-------------------------------The 2 first
> characters are garbage
>
> STREET = cra 23                  
> <-------------------------------The 2
> first characters are garbage
>
> CN = Prueba 1 cert
>
> OU = Internet
>
> O = Ubiquando
>
> L = Bogota
>
> S = Cundinamarca
>
> What should I do to avoid these annoying characters in
> the value of my special
> OIDs??
>
> Am I doing something wrong when I add the OIDs?
>

Looks more like you are having a problem with Windows...

What it is doing when it finds an OID it doesn't recognize is to dump the
whole encoded component in the manner you describe.

So what you really need to do if you need this to display on Windows is to use
OIDs that it does recognize.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Johnny Gonzalez
Hello Steve,


 --- "Dr. Stephen Henson" <[hidden email]>
escribió:

> On Mon, Aug 01, 2005, Johnny Gonzalez wrote:
>
> > Hello everybody,
> >
> > I have a big problem when adding new OIDs, as
> these
> > are getting garbage
> > characters that we need to avoid in our
> certificates.
> > Could this be the way
> > I'm adding the OIDs? This is the entire context:
> >
> > I have to add 3 new OIDs to my issued
> certificates, so
> > I added them in the
> > openssl.cnf config file this way:
> >
> > in the new oids section I have this:
> >
> > direccion = 2.5.4.9
> > nit = 1.3.6.1.4.1.4710.1.3.2
> > cedula = 1.3.6.1.4.1.4710.1.3.1
> >
> > In the policy match section I have this:
> >
> > direccion  = optional
> > cedula   = optional
> > nit    = optional
> >
> > In the [ req_distinguished_name ] section I have
> this:
> >
> > direccion   = Direccion
> > cedula    = Cedula
> > nit    = Nit
> >
> > I guess this is ok, but after issuing my
> certificate,
> > I'm getting undesired
> > characters in the values of these new OIDs for
> > example, this certificate has
> > the 3 new OIDs I need, when I open the certificate
> in
> > Windows (the OS we need
> > to use) I get this output in the subject:
> >
> > Número de serie = 9
> >
> > 1.3.6.1.4.1.4710.1.3.2 = 1    
> > <-------------------------------The 2 first
> > characters are garbage
> >
> > 1.3.6.1.4.1.4710.1.3.1 = 1    
> > <-------------------------------The 2 first
> > characters are garbage
> >
> > STREET = cra 23                  
> > <-------------------------------The 2
> > first characters are garbage
> >
> > CN = Prueba 1 cert
> >
> > OU = Internet
> >
> > O = Ubiquando
> >
> > L = Bogota
> >
> > S = Cundinamarca
> >
> > What should I do to avoid these annoying
> characters in
> > the value of my special
> > OIDs??
> >
> > Am I doing something wrong when I add the OIDs?
> >
>
> Looks more like you are having a problem with
> Windows...
>
> What it is doing when it finds an OID it doesn't
> recognize is to dump the
> whole encoded component in the manner you describe.
>
> So what you really need to do if you need this to
> display on Windows is to use
> OIDs that it does recognize.
>
How can I do that? I mean, our certification politics
require that our certificates have those 3 OIDs, so
following your suggestions, how could I use other OIDs
that windows can recognize?

I thought the problem was the way I register the OIDs
in openssl to add them to the certificates. What do
you think? Is there another way to register the OIDs
in openssl different from what I did?

Thanks a lot for your kind kelp,
Johnny



> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



               
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Dr. Stephen Henson
On Tue, Aug 02, 2005, Johnny Gonzalez wrote:

> > >
> > > Número de serie = 9
> > >
> > > 1.3.6.1.4.1.4710.1.3.2 = 1    
> > > <-------------------------------The 2 first
> > > characters are garbage
> > >
> > > 1.3.6.1.4.1.4710.1.3.1 = 1    
> > > <-------------------------------The 2 first
> > > characters are garbage
> > >
> > > STREET = cra 23                  
> > > <-------------------------------The 2
> > > first characters are garbage
> > >
> > > CN = Prueba 1 cert
> > >
> > > OU = Internet
> > >
> > > O = Ubiquando
> > >
> > > L = Bogota
> > >
> > > S = Cundinamarca
> > >
> > > What should I do to avoid these annoying
> > characters in
> > > the value of my special
> > > OIDs??
> > >
> > > Am I doing something wrong when I add the OIDs?
> > >
> >
> > Looks more like you are having a problem with
> > Windows...
> >
> > What it is doing when it finds an OID it doesn't
> > recognize is to dump the
> > whole encoded component in the manner you describe.
> >
> > So what you really need to do if you need this to
> > display on Windows is to use
> > OIDs that it does recognize.
> >
> How can I do that? I mean, our certification politics
> require that our certificates have those 3 OIDs, so
> following your suggestions, how could I use other OIDs
> that windows can recognize?
>
> I thought the problem was the way I register the OIDs
> in openssl to add them to the certificates. What do
> you think? Is there another way to register the OIDs
> in openssl different from what I did?
>

No it isn't OpenSSL. OpenSSL is outputting the correct data its just that
whatever Windows program you are using doesn't recognize the OIDs and has a
policy to just dump out the value without interpreting it at all, which isn't
very friendly.

In you example ^S^A1 is the DER representation of a PRINTABLESTRING of one
octet in length which is the character '1'.

What Windows program produces that output and what version of Windows is it?
When I display a certificate using the certificate wizard dialog box it looks
fine even if it has OIDs it doesn't recognize.

BTW if you are going to use "international" characters (basically anything
larger than 127) you'd better set "string_mask=utf8only" in the openssl.cnf
file. If you also use the -utf8 input option the terminal *must* send
characters in UTF8 format.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Johnny Gonzalez
Hello Steve,


 --- "Dr. Stephen Henson" <[hidden email]>
escribió:

> On Tue, Aug 02, 2005, Johnny Gonzalez wrote:
>
> > > >
> > > > Número de serie = 9
> > > >
> > > > 1.3.6.1.4.1.4710.1.3.2 = 1    
> > > > <-------------------------------The 2 first
> > > > characters are garbage
> > > >
> > > > 1.3.6.1.4.1.4710.1.3.1 = 1    
> > > > <-------------------------------The 2 first
> > > > characters are garbage
> > > >
> > > > STREET = cra 23                  
> > > > <-------------------------------The 2
> > > > first characters are garbage
> > > >
> > > > CN = Prueba 1 cert
> > > >
> > > > OU = Internet
> > > >
> > > > O = Ubiquando
> > > >
> > > > L = Bogota
> > > >
> > > > S = Cundinamarca
> > > >
> > > > What should I do to avoid these annoying
> > > characters in
> > > > the value of my special
> > > > OIDs??
> > > >
> > > > Am I doing something wrong when I add the
> OIDs?
> > > >
> > >
> > > Looks more like you are having a problem with
> > > Windows...
> > >
> > > What it is doing when it finds an OID it doesn't
> > > recognize is to dump the
> > > whole encoded component in the manner you
> describe.
> > >
> > > So what you really need to do if you need this
> to
> > > display on Windows is to use
> > > OIDs that it does recognize.
> > >
> > How can I do that? I mean, our certification
> politics
> > require that our certificates have those 3 OIDs,
> so
> > following your suggestions, how could I use other
> OIDs
> > that windows can recognize?
> >
> > I thought the problem was the way I register the
> OIDs
> > in openssl to add them to the certificates. What
> do
> > you think? Is there another way to register the
> OIDs
> > in openssl different from what I did?
> >
>
> No it isn't OpenSSL. OpenSSL is outputting the
> correct data its just that
> whatever Windows program you are using doesn't
> recognize the OIDs and has a
> policy to just dump out the value without
> interpreting it at all, which isn't
> very friendly.
>
> In you example ^S^A1 is the DER representation of a
> PRINTABLESTRING of one
> octet in length which is the character '1'.
>
> What Windows program produces that output and what
> version of Windows is it?
The problem arises when I double click in the
certificate with .crt extension in the Windows
Explorer, so Windows starts the default program that
handles certificates.

This link has an image of how it looks in windows.
http://www.geocities.com/johnnygonzalezl/images/ImageCertInWin32.JPG



> When I display a certificate using the certificate
> wizard dialog box it looks
> fine even if it has OIDs it doesn't recognize.
>
Maybe it's the same I'm using to see the details of
the certificates.


> BTW if you are going to use "international"
> characters (basically anything
> larger than 127) you'd better set
> "string_mask=utf8only" in the openssl.cnf
> file. If you also use the -utf8 input option the
> terminal *must* send
> characters in UTF8 format.

Thanks for this suggestion I will apply it. However
the tests I have done with OIDs have values like: "1",
so this shouldn't be a problem for the OIDs,
nonetheless it will be very helpfull for my
certificates.

What other suggestions do you have?

Thanks a lot,
Johnny

>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



               
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Dr. Stephen Henson
On Wed, Aug 03, 2005, Johnny Gonzalez wrote:

> Hello Steve,
>
> >
> > What Windows program produces that output and what
> > version of Windows is it?
> The problem arises when I double click in the
> certificate with .crt extension in the Windows
> Explorer, so Windows starts the default program that
> handles certificates.
>
> This link has an image of how it looks in windows.
> http://www.geocities.com/johnnygonzalezl/images/ImageCertInWin32.JPG
>
>

What version of MSIE and Windows is this?

>
> > When I display a certificate using the certificate
> > wizard dialog box it looks
> > fine even if it has OIDs it doesn't recognize.
> >
> Maybe it's the same I'm using to see the details of
> the certificates.
>

You could have an earlier version.

>
> > BTW if you are going to use "international"
> > characters (basically anything
> > larger than 127) you'd better set
> > "string_mask=utf8only" in the openssl.cnf
> > file. If you also use the -utf8 input option the
> > terminal *must* send
> > characters in UTF8 format.
>
> Thanks for this suggestion I will apply it. However
> the tests I have done with OIDs have values like: "1",
> so this shouldn't be a problem for the OIDs,
> nonetheless it will be very helpfull for my
> certificates.
>
> What other suggestions do you have?
>

I'd suggest trying this on WinXP with the latest version of MSIE. If you can
send me a certificate I'll check to see hopw my setup displays it.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Johnny Gonzalez

 --- "Dr. Stephen Henson" <[hidden email]>
escribió:

> On Wed, Aug 03, 2005, Johnny Gonzalez wrote:
>
> > Hello Steve,
> >
> > >
> > > What Windows program produces that output and
> what
> > > version of Windows is it?
> > The problem arises when I double click in the
> > certificate with .crt extension in the Windows
> > Explorer, so Windows starts the default program
> that
> > handles certificates.
> >
> > This link has an image of how it looks in windows.
> >
>
http://www.geocities.com/johnnygonzalezl/images/ImageCertInWin32.JPG
> >
> >
>
> What version of MSIE and Windows is this?
I'm using a Windows XP machine that has IE6. And it
has no Service Packs at all.

>
> >
> > > When I display a certificate using the
> certificate
> > > wizard dialog box it looks
> > > fine even if it has OIDs it doesn't recognize.
> > >
> > Maybe it's the same I'm using to see the details
> of
> > the certificates.
> >
>
> You could have an earlier version.
>
> >
> > > BTW if you are going to use "international"
> > > characters (basically anything
> > > larger than 127) you'd better set
> > > "string_mask=utf8only" in the openssl.cnf
> > > file. If you also use the -utf8 input option the
> > > terminal *must* send
> > > characters in UTF8 format.
> >
> > Thanks for this suggestion I will apply it.
> However
> > the tests I have done with OIDs have values like:
> "1",
> > so this shouldn't be a problem for the OIDs,
> > nonetheless it will be very helpfull for my
> > certificates.
> >
> > What other suggestions do you have?
> >
>
> I'd suggest trying this on WinXP with the latest
> version of MSIE. If you can
> send me a certificate I'll check to see hopw my
> setup displays it.
I'm sending you the certificate I'm testing on my
machine, but I will change the extension to .txt so
there won't be any problem sending the file.

Thanks a lot,
Johnny

>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



       
       
               
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
-----BEGIN CERTIFICATE-----
MIIFBDCCA+ygAwIBAgIBCTANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJDTzEZ
MBcGA1UEChMQQ2VydGljYW1hcmEgUy5BLjEUMBIGA1UECxMLTGFib3JhdG9yaW8x
EDAOBgNVBAMTB0RlbW8gQ0EwHhcNMDUwNzA4MjE0OTA4WhcNMDUwODA3MjE0OTA4
WjCBvjELMAkGA1UEBhMCQ08xFTATBgNVBAgTDEN1bmRpbmFtYXJjYTEPMA0GA1UE
BxMGQm9nb3RhMRIwEAYDVQQKEwlVYmlxdWFuZG8xETAPBgNVBAsTCEludGVybmV0
MRYwFAYDVQQDEw1QcnVlYmEgMSBjZXJ0MRIwEAYDVQQJFAkTB2NyYSAyMyAxEzAR
BgorBgEEAaRmAQMBFAMTATExEzARBgorBgEEAaRmAQMCFAMTATExCjAIBgNVBAUT
ATkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK0d8QeFa3RGhbfdK6xrCQ+l
EDkJ9N6OGIMaLkcXuuUfQ7qdbBRnp2vJEETDhak7Oj7u5YYuO7Hr5aX6TGweQrgT
U3RLt6bOLLPt9+BJQkP3CaZIkFh6vY3iImBu0obeN6EBZ5yZMbJkrYlsecML4o4m
hiddErNJ3hCnGWQlb09JAgMBAAGjggH8MIIB+DAJBgNVHRMEAjAAMBEGCWCGSAGG
+EIBAQQEAwIFoDALBgNVHQ8EBAMCA/gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
AQUFBwMEMC4GCWCGSAGG+EIBDQQhFh9DZXJ0aWZpY2Fkb3MgZGUgcGVyc29uYSBu
YXR1cmFsMB0GA1UdDgQWBBT0Yw/TPdVkQRqSHNqCoIGvA5spOzB4BgNVHSMEcTBv
gBTkgMn/7xzUZ5RCuLp9V3r/JUWbw6FUpFIwUDELMAkGA1UEBhMCQ08xGTAXBgNV
BAoTEENlcnRpY2FtYXJhIFMuQS4xFDASBgNVBAsTC0xhYm9yYXRvcmlvMRAwDgYD
VQQDEwdEZW1vIENBggEAMB4GA1UdEQQXMBWBE3BydWViYTFAY2VydGljYW1hcmEw
CQYDVR0SBAIwADA8BglghkgBhvhCAQgELxYtaHR0cDovL3d3dy5jZXJ0aWNhbWFy
YS5jb20vZHBjL3BfbmF0dXJhbC5odG1sMDsGCWCGSAGG+EIBAwQuFixodHRwOi8v
d3d3LmNlcnRpY2FtYXJhLmNvbS9kZW1vY2EvZGVtb2NhLmNybDA9BgNVHR8ENjA0
MDKgMKAuhixodHRwOi8vd3d3LmNlcnRpY2FtYXJhLmNvbS9kZW1vY2EvZGVtb2Nh
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAHuiDIJgLdnYSsnq83Wd8gjClNqokvOEI
HUDDuKXmGB8enNS9PS305dfmYisjD7zx5P4RqXPYgQELXzXFq9Xw0Pfk3Z/CKuQ/
oWdymkcL6Ez5tc41f1v//swQY/F5tpDcxNIPZxH7vRJiUEE8rBr9FPJz3TO0BFKx
VjExcVefGUR7cjsbitcHfaZXMFSH7mgptmkRiuFgxz8dyzke/dAjBibWc9Flfl+Z
ndsZY1xjiZT8MFtJNZCaG+Qubqeo1jlHFqn8RuLjUVSPMthehQ8LsGr6lEYc6+mB
j5b+5C7F7P1PWME4jhivrJJI0j9bo4/sJzGsk+XEX8zxje7XWdsqnQ==
-----END CERTIFICATE-----
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Dr. Stephen Henson
On Wed, Aug 03, 2005, Johnny Gonzalez wrote:

>
>
> I'm sending you the certificate I'm testing on my
> machine, but I will change the extension to .txt so
> there won't be any problem sending the file.
>

I get the same too.

How are you entering data in these extra fields? It looks like whatever is
doing it is feeding in the encoded version rather than its actual value. The
result is that OpenSSL is trying to encode a PrintableString within a
T61String.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Johnny Gonzalez
Hello Steve,

 --- "Dr. Stephen Henson" <[hidden email]>
escribió:

> On Wed, Aug 03, 2005, Johnny Gonzalez wrote:
>
> >
> >
> > I'm sending you the certificate I'm testing on my
> > machine, but I will change the extension to .txt
> so
> > there won't be any problem sending the file.
> >
>
> I get the same too.
>
> How are you entering data in these extra fields? It
> looks like whatever is
> doing it is feeding in the encoded version rather
> than its actual value. The
> result is that OpenSSL is trying to encode a
> PrintableString within a
> T61String.
>
I'm creating the request throught this command. Nothe
that I'm using 0.9.8 I thought this could solve the
problem.

bin/openssl req -new -utf8 -config openssl.cnf -out
NewReqOIDs4UTF8LatinChars.pem

I also tryed it without the -utf8 option, but results
are the same.

Then the console asks me for the values:


Generating a 1024 bit RSA private key
.............................................................++++++
..........................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that
will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some
blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CO]:
State or Province Name (full name) [Cundinamarca]:
Locality Name (eg, city) [Bogota]:
Organization Name (eg, company) [Ubiquando]:
Organizational Unit Name (eg, section) [Internet]:
Common Name (eg, YOUR name) []:johnny gonzalez
Email Address []:[hidden email]
Nit []:800123456
Cedula []:79982276
Direccion []:cra 20Bis # 159A-17 apto 101

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


In all fields I leave the default values I set, I only
give new values for: Common Name, Email Address, Nit
(1st new OID) , Cedula (2nd new OID) and Direccion
(last new OID)


If I run the asn1parse command I got:
   0:d=0  hl=4 l= 581 cons: SEQUENCE
    4:d=1  hl=4 l= 430 cons: SEQUENCE
    8:d=2  hl=2 l=   1 prim: INTEGER           :00
   11:d=2  hl=4 l= 259 cons: SEQUENCE
   15:d=3  hl=2 l=  11 cons: SET
   17:d=4  hl=2 l=   9 cons: SEQUENCE
   19:d=5  hl=2 l=   3 prim: OBJECT          
:countryName
   24:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CO
   28:d=3  hl=2 l=  21 cons: SET
   30:d=4  hl=2 l=  19 cons: SEQUENCE
   32:d=5  hl=2 l=   3 prim: OBJECT          
:stateOrProvinceName
   37:d=5  hl=2 l=  12 prim: PRINTABLESTRING  
:Cundinamarca
   51:d=3  hl=2 l=  15 cons: SET
   53:d=4  hl=2 l=  13 cons: SEQUENCE
   55:d=5  hl=2 l=   3 prim: OBJECT          
:localityName
   60:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :Bogota
   68:d=3  hl=2 l=  18 cons: SET
   70:d=4  hl=2 l=  16 cons: SEQUENCE
   72:d=5  hl=2 l=   3 prim: OBJECT          
:organizationName
   77:d=5  hl=2 l=   9 prim: PRINTABLESTRING  
:Ubiquando
   88:d=3  hl=2 l=  17 cons: SET
   90:d=4  hl=2 l=  15 cons: SEQUENCE
   92:d=5  hl=2 l=   3 prim: OBJECT          
:organizationalUnitName
   97:d=5  hl=2 l=   8 prim: PRINTABLESTRING  
:Internet
  107:d=3  hl=2 l=  24 cons: SET
  109:d=4  hl=2 l=  22 cons: SEQUENCE
  111:d=5  hl=2 l=   3 prim: OBJECT          
:commonName
  116:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :johnny
gonzalez
  133:d=3  hl=2 l=  47 cons: SET
  135:d=4  hl=2 l=  45 cons: SEQUENCE
  137:d=5  hl=2 l=   9 prim: OBJECT          
:emailAddress
  148:d=5  hl=2 l=  32 prim: IA5STRING        
:[hidden email]
  182:d=3  hl=2 l=  25 cons: SET
  184:d=4  hl=2 l=  23 cons: SEQUENCE
  186:d=5  hl=2 l=  10 prim: OBJECT          
:1.3.6.1.4.1.4710.1.3.2
  198:d=5  hl=2 l=   9 prim: PRINTABLESTRING  
:800123456
  209:d=3  hl=2 l=  24 cons: SET
  211:d=4  hl=2 l=  22 cons: SEQUENCE
  213:d=5  hl=2 l=  10 prim: OBJECT          
:1.3.6.1.4.1.4710.1.3.1
  225:d=5  hl=2 l=   8 prim: PRINTABLESTRING  
:79982276
  235:d=3  hl=2 l=  37 cons: SET
  237:d=4  hl=2 l=  35 cons: SEQUENCE
  239:d=5  hl=2 l=   3 prim: OBJECT          
:streetAddress
  244:d=5  hl=2 l=  28 prim: T61STRING         :cra
20Bis # 159A-17 apto 101
  274:d=2  hl=3 l= 159 cons: SEQUENCE
  277:d=3  hl=2 l=  13 cons: SEQUENCE
  279:d=4  hl=2 l=   9 prim: OBJECT          
:rsaEncryption
  290:d=4  hl=2 l=   0 prim: NULL
  292:d=3  hl=3 l= 141 prim: BIT STRING
  436:d=2  hl=2 l=   0 cons: cont [ 0 ]
  438:d=1  hl=2 l=  13 cons: SEQUENCE
  440:d=2  hl=2 l=   9 prim: OBJECT          
:sha1WithRSAEncryption
  451:d=2  hl=2 l=   0 prim: NULL
  453:d=1  hl=3 l= 129 prim: BIT STRING


So this seems to be ok. Then I process the requests
with OpenCA, configured to use OpenSSL-0.9.8. Could
this be a problem in OpenCA? What do you think the
problem could be in OpenCA?


Attached there is the request.

Thanks a lot,
Johnny




> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>


               
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es

NewReqOIDs4UTF8LatinChars.pem (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Dr. Stephen Henson
On Wed, Aug 03, 2005, Johnny Gonzalez wrote:

>
>
> So this seems to be ok. Then I process the requests
> with OpenCA, configured to use OpenSSL-0.9.8. Could
> this be a problem in OpenCA? What do you think the
> problem could be in OpenCA?
>
>

Yes that request looks OK. If the output of OpenCA is in the form of the first
certificate then its messing up somewhere. I don't think any OpenSSL utility
can produce an output like that.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Annoying Garbage characters in OIDs

Johnny Gonzalez
Hello Steve,

 --- "Dr. Stephen Henson" <[hidden email]>
escribió:

> On Wed, Aug 03, 2005, Johnny Gonzalez wrote:
>
> >
> >
> > So this seems to be ok. Then I process the
> requests
> > with OpenCA, configured to use OpenSSL-0.9.8.
> Could
> > this be a problem in OpenCA? What do you think the
> > problem could be in OpenCA?
> >
> >
>
> Yes that request looks OK. If the output of OpenCA
> is in the form of the first
> certificate then its messing up somewhere. I don't
> think any OpenSSL utility
> can produce an output like that.

Thanks a lot for your help, I will talk with the
OpenCA team to ask for verification of the methods
that intrepret the new added OIDs.

Johnny

>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys:
> see homepage
> OpenSSL project core developer and freelance
> consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
>
______________________________________________________________________
> OpenSSL Project                                
> http://www.openssl.org
> User Support Mailing List                  
> [hidden email]
> Automated List Manager                          
> [hidden email]
>



               
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]