Re: [ruby/openssl] instead of looking of NIDs and then using X509V3_EXT_nconf_nid, (#141)

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: [ruby/openssl] instead of looking of NIDs and then using X509V3_EXT_nconf_nid, (#141)

Michael Richardson

Thank you so much for the reply.

I will comment in the issue as requested, but I'll do so in email so that I
can CC the openssl-users list.

Kazuki Yamaguchi <[hidden email]> wrote:
    > The ruby-core mailing list or this GitHub issue tracker is the right
    > place for questions about ruby-openssl.

    mcr> Of concern is that when I look at the resulting certificate:

    mcr> dooku-[fountain/spec/certs](2.3.0) mcr 10006 %openssl x509 -noout -text
    mcr> -in 12-00-00-66-4D-02.crt Certificate: ...  X509v3 Subject Alternative
    mcr> Name: othername: ..

    mcr> Looking at a hexdump I see "0x0c" and "0x17" prior to the http, but
    mcr> maybe it's a length or something.... I wondered if there was garbage or
    mcr> a UTF-8 BOM or something inserted..  so, I pointed asn1parse at the
    mcr> result, and I see:

ky> NIDs can be added at run time with OpenSSL::ASN1::ObjectId.register
ky> (which calls OBJ_create()), but yes, this should be fixed.

I did not find a way to call OBJ_create() from ruby.  Is there one?
Many OpenSSL FAQs suggest you need to hack objects.h and recompile, which is
clearly a PITA if you are trying to live above distribute ruby binaries, so I
was looking for another way.

ky> For whatever reason, OpenSSL::X509::ExtensionFactory#create_ext has
ky> accepted long names which aren't handled by the non-generic extensions
ky> path of X509V3_EXT_nconf(). For compatibility I guess it will be like
ky> this...

Ah, that's why it uses that way.
I'll add that code to my tree, and update the pull request.

Are there regression tests which cover that?
I was hoping travis would tell me about such failures that I didn't know
about :-)

ky> It's working as expected. The ASN.1 type definition of Extension is:

ky>                 -- contains the DER encoding of an ASN.1 value

ky> The leading "\x0c\x17" is the BER tag and the length of the UTF8String
ky> encapsulated in the 'extnValue'.

okay, so "openssl x509 -text" is failing to decode that then.

#  @value="">


]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     [hidden email]        |   ruby on rails    [

openssl-users mailing list
To unsubscribe:

signature.asc (497 bytes) Download Attachment