Extended Validation OIDS

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Extended Validation OIDS

Tom Pfeifer
Hopefully this is a straight forward question:

Are the "jursidictionOfIncorporation" OIDs supported in the current
version of openSSL (Linux)? The ones I'm referring to are:

1.3.6.1.4.1.311.60.2.1.1 jurisdictionOfIncorporationLocalityName
1.3.6.1.4.1.311.60.2.1.2 jurisdictionOfIncorporationStateOrProvinceName
1.3.6.1.4.1.311.60.2.1.3 jurisdictionOfIncorporationCountryName

...which are required for Extended Validation (EV) certificates. I'm
currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs
specified in the [new_oids] section in openssl.cnf like this:

jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3

Also, referring to this web page (from 2010):
http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm

...I looked in crypto/objects/objects.txt in the 1.0.1e source tree, and
they were not listed in that file with other OIDs. I also looked at the
1.0.1f source tree with the same result.

The issue I'm having is that they don't show up in the Subject line in
the certificate when specified in the -subj string, while all other OIDs
specified in the same -subj string do show up. They are just ignored,
with no error message.

I'm just trying to understand why these are required for an EV
certificate, yet they don't seem to be supported by openSSL, at least on
Linux. Any information that can help me clear this up would be appreciated.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extended Validation OIDS

Walter H.
On 07.02.2014 21:04, Tom Pfeifer wrote:

> ...which are required for Extended Validation (EV) certificates. I'm
> currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs
> specified in the [new_oids] section in openssl.cnf like this:
>
> jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
> jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
> jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3
>
> Also, referring to this web page (from 2010):
> http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm
>
> ...I looked in crypto/objects/objects.txt in the 1.0.1e source tree, and
> they were not listed in that file with other OIDs. I also looked at the
> 1.0.1f source tree with the same result.
>
> The issue I'm having is that they don't show up in the Subject line in
> the certificate when specified in the -subj string, while all other OIDs
> specified in the same -subj string do show up. They are just ignored,
> with no error message.
You have to expand the [ policy_default ] or other section of your
choice with something similar to

jurisdictionOfIncorporationLocalityName = optional
jurisdictionOfIncorporationStateOrProvinceName = optional
jurisdictionOfIncorporationCountryName = optional

Walter


smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Extended Validation OIDS

Tom Pfeifer
On 02/07/2014 04:11 PM, Walter H. wrote:

> On 07.02.2014 21:04, Tom Pfeifer wrote:
>> ...which are required for Extended Validation (EV) certificates. I'm
>> currently using openSSL 1.0.1e-fips on Fedora 20, and I have these OIDs
>> specified in the [new_oids] section in openssl.cnf like this:
>>
>> jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
>> jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
>> jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3
>>
>> Also, referring to this web page (from 2010):
>> http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm
>>
>> ...I looked in crypto/objects/objects.txt in the 1.0.1e source tree, and
>> they were not listed in that file with other OIDs. I also looked at the
>> 1.0.1f source tree with the same result.
>>
>> The issue I'm having is that they don't show up in the Subject line in
>> the certificate when specified in the -subj string, while all other OIDs
>> specified in the same -subj string do show up. They are just ignored,
>> with no error message.
> You have to expand the [ policy_default ] or other section of your
> choice with something similar to
>
> jurisdictionOfIncorporationLocalityName = optional
> jurisdictionOfIncorporationStateOrProvinceName = optional
> jurisdictionOfIncorporationCountryName = optional
>
> Walter
>

OK, thanks very much for that info. I'll look into that.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extended Validation OIDS

Tom Pfeifer
In reply to this post by Walter H.
On 02/07/2014 04:11 PM, Walter H. wrote:

> On 07.02.2014 21:04, Tom Pfeifer wrote:
>> ...which are required for Extended Validation (EV) certificates.
>> I'm currently using openSSL 1.0.1e-fips on Fedora 20, and I have
>> these OIDs specified in the [new_oids] section in openssl.cnf like
>> this:
>>
>> jurisdictionOfIncorporationLocalityName=1.3.6.1.4.1.311.60.2.1.1
>> jurisdictionOfIncorporationStateOrProvinceName=1.3.6.1.4.1.311.60.2.1.2
>>
>>
>> jurisdictionOfIncorporationCountryName=1.3.6.1.4.1.311.60.2.1.3
>>
>> Also, referring to this web page (from 2010):
>> http://www.frank4dd.com/howto/openssl/add_oids_to_openssl.htm
>>
>> ...I looked in crypto/objects/objects.txt in the 1.0.1e source
>> tree, and they were not listed in that file with other OIDs. I
>> also looked at the 1.0.1f source tree with the same result.
>>
>> The issue I'm having is that they don't show up in the Subject
>> line in the certificate when specified in the -subj string, while
>> all other OIDs specified in the same -subj string do show up. They
>> are just ignored, with no error message.
> You have to expand the [ policy_default ] or other section of your
> choice with something similar to
>
> jurisdictionOfIncorporationLocalityName = optional
> jurisdictionOfIncorporationStateOrProvinceName = optional
> jurisdictionOfIncorporationCountryName = optional
>
> Walter
>

I've tried doing that with no success so far, most likely due my lack of
understanding of how to set up policy sections in the config file (among
other things).

The basic failure I'm getting is demonstrated by the information at the
link below. It shows the 'openssl' command line, the error output from
it, and the openssl.cnf file used.

https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt

The [reg] and [req_issued_name] are the relevant sections for the 'req'
command line being run in this case. If I comment out the 2
"jurisdictionOfIncorporation" lines in the [req_issued_name] section,
the command runs without error, and the subject line contains all the
other fields specified in that section.

If anyone has any pointers about policy sections (or pointers to basic
docs or tutorials about them) - or anything else that's obvious from
looking at the openssl.cnf file - it would be very much appreciated.

Thanks
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extended Validation OIDS

Dave Thompson-5
In reply to this post by Tom Pfeifer
> From: [hidden email] On Behalf Of Tom Pfeifer
> Sent: Monday, February 10, 2014 16:53
<snip>
> I've tried doing that with no success so far, most likely due my lack of
> understanding of how to set up policy sections in the config file (among
> other things).
>
The policy section(s) is only for issuing certs with 'ca'.
Your problem is creating the request, well before that.

> The basic failure I'm getting is demonstrated by the information at the
> link below. It shows the 'openssl' command line, the error output from
> it, and the openssl.cnf file used.
>
> https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt
>
The new_oids functionality is generic for pretty much all functions that
use a config file, unlike other config items which are function-specific.
Thus the oid_section pointer must be in the 'default' section -- i.e.
at the top of the config file before the first [sectname] divider.

If you use 'ca' you do also need to fix up a policy (either a provided
one, or one you create) unless you specify preserve=yes in which case
it will use the RDNs from the request even if not in policy. If you use
'x509 -req' there is no policy and it uses the name from the request.

Small warning: 'req' and if used 'ca' a use a file and can get added OIDs.
If you display the resulting cert(s) with 'x509 -text' that does not use
any config file and thus must display the OIDs in numeric form.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extended Validation OIDS

Tom Pfeifer
On 02/10/2014 08:27 PM, Dave Thompson wrote:

>> From: [hidden email] On Behalf Of Tom Pfeifer
>> Sent: Monday, February 10, 2014 16:53
> <snip>
>> I've tried doing that with no success so far, most likely due my lack of
>> understanding of how to set up policy sections in the config file (among
>> other things).
>>
> The policy section(s) is only for issuing certs with 'ca'.
> Your problem is creating the request, well before that.
>
>> The basic failure I'm getting is demonstrated by the information at the
>> link below. It shows the 'openssl' command line, the error output from
>> it, and the openssl.cnf file used.
>>
>> https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt
>>
> The new_oids functionality is generic for pretty much all functions that
> use a config file, unlike other config items which are function-specific.
> Thus the oid_section pointer must be in the 'default' section -- i.e.
> at the top of the config file before the first [sectname] divider.


That was definitely a piece of information I was missing, and the error
condition disappeared when I moved it to the top of the config file.
This is the first time I have gotten it to recognize those
"jurisdictionOfIncorporation" OIDs.


>
> If you use 'ca' you do also need to fix up a policy (either a provided
> one, or one you create) unless you specify preserve=yes in which case
> it will use the RDNs from the request even if not in policy. If you use
> 'x509 -req' there is no policy and it uses the name from the request.
>
> Small warning: 'req' and if used 'ca' a use a file and can get added OIDs.
> If you display the resulting cert(s) with 'x509 -text' that does not use
> any config file and thus must display the OIDs in numeric form.
>

I noticed the numeric form when using 'x509 -text', and it helped to be
expecting it. The config file still needs some work, but hopefully I'm
on my way with this now. Thank you for the pointers - very much appreciated!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extended Validation OIDS

Dr. Stephen Henson
On Tue, Feb 11, 2014, Tom Pfeifer wrote:

> On 02/10/2014 08:27 PM, Dave Thompson wrote:
> >> From: [hidden email] On Behalf Of Tom Pfeifer
> >> Sent: Monday, February 10, 2014 16:53
> > <snip>
> >> I've tried doing that with no success so far, most likely due my lack of
> >> understanding of how to set up policy sections in the config file (among
> >> other things).
> >>
> > The policy section(s) is only for issuing certs with 'ca'.
> > Your problem is creating the request, well before that.
> >
> >> The basic failure I'm getting is demonstrated by the information at the
> >> link below. It shows the 'openssl' command line, the error output from
> >> it, and the openssl.cnf file used.
> >>
> >> https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt
> >>
> > The new_oids functionality is generic for pretty much all functions that
> > use a config file, unlike other config items which are function-specific.
> > Thus the oid_section pointer must be in the 'default' section -- i.e.
> > at the top of the config file before the first [sectname] divider.
>
>
> That was definitely a piece of information I was missing, and the error
> condition disappeared when I moved it to the top of the config file.
> This is the first time I have gotten it to recognize those
> "jurisdictionOfIncorporation" OIDs.
>
>
> >
> > If you use 'ca' you do also need to fix up a policy (either a provided
> > one, or one you create) unless you specify preserve=yes in which case
> > it will use the RDNs from the request even if not in policy. If you use
> > 'x509 -req' there is no policy and it uses the name from the request.
> >
> > Small warning: 'req' and if used 'ca' a use a file and can get added OIDs.
> > If you display the resulting cert(s) with 'x509 -text' that does not use
> > any config file and thus must display the OIDs in numeric form.
> >
>
> I noticed the numeric form when using 'x509 -text', and it helped to be
> expecting it. The config file still needs some work, but hopefully I'm
> on my way with this now. Thank you for the pointers - very much appreciated!
>

Note that there are two ways to add OIDs. One if the version that works with
the openssl utility but is lacking in some cases (e.g. x509) and the second is
through the configuration module mechanism.

This is described in the config(1) manual page and is more general. It should
also work for the x509 utility if the add the OIDs to the default
configuration file or set the OPENSSL_CONF environment variable to point to
it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Extended Validation OIDS

Tom Pfeifer
On 02/11/2014 10:55 AM, Dr. Stephen Henson wrote:

> On Tue, Feb 11, 2014, Tom Pfeifer wrote:
>
>> On 02/10/2014 08:27 PM, Dave Thompson wrote:
>>>> From: [hidden email] On Behalf Of Tom Pfeifer
>>>>  Sent: Monday, February 10, 2014 16:53
>>> <snip>
>>>> I've tried doing that with no success so far, most likely due
>>>> my lack of understanding of how to set up policy sections in
>>>> the config file (among other things).
>>>>
>>> The policy section(s) is only for issuing certs with 'ca'. Your
>>> problem is creating the request, well before that.
>>>
>>>> The basic failure I'm getting is demonstrated by the
>>>> information at the link below. It shows the 'openssl' command
>>>> line, the error output from it, and the openssl.cnf file used.
>>>>
>>>> https://www.dropbox.com/s/ipjtp1fmhd1p4mz/opensslcnf.txt
>>>>
>>> The new_oids functionality is generic for pretty much all
>>> functions that use a config file, unlike other config items
>>> which are function-specific. Thus the oid_section pointer must be
>>> in the 'default' section -- i.e. at the top of the config file
>>> before the first [sectname] divider.
>>
>>
>> That was definitely a piece of information I was missing, and the
>> error condition disappeared when I moved it to the top of the
>> config file. This is the first time I have gotten it to recognize
>> those "jurisdictionOfIncorporation" OIDs.
>>
>>
>>>
>>> If you use 'ca' you do also need to fix up a policy (either a
>>> provided one, or one you create) unless you specify preserve=yes
>>> in which case it will use the RDNs from the request even if not
>>> in policy. If you use 'x509 -req' there is no policy and it uses
>>> the name from the request.
>>>
>>> Small warning: 'req' and if used 'ca' a use a file and can get
>>> added OIDs. If you display the resulting cert(s) with 'x509
>>> -text' that does not use any config file and thus must display
>>> the OIDs in numeric form.
>>>
>>
>> I noticed the numeric form when using 'x509 -text', and it helped
>> to be expecting it. The config file still needs some work, but
>> hopefully I'm on my way with this now. Thank you for the pointers
>> - very much appreciated!
>>
>
> Note that there are two ways to add OIDs. One if the version that
> works with the openssl utility but is lacking in some cases (e.g.
> x509) and the second is through the configuration module mechanism.
>
> This is described in the config(1) manual page and is more general.
> It should also work for the x509 utility if the add the OIDs to the
> default configuration file or set the OPENSSL_CONF environment
> variable to point to it.
>
> Steve. -- Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org


I did look into that, tried it, and it did work. It required just a few
simple changes (as that man page spells out pretty clearly), and now
those "jurisdiction" OIDs are displayed in text format (rather than
numeric) when using 'x509 -text'.

Thank you very much for the help!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]