openssl config; full form of multi-valued field

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl config; full form of multi-valued field

A.B.COKO/\OB
Dear ladies/gentlemen,

I'd like to clear up the situation with the feature described in manual
http://openssl.org/docs/apps/x509v3_config.htm (attached below).

I tried even that same example from the manual, with 2 different versions
of open ssl (0.9.7 linux, 1.0.0 windows) -- in both cases this example
does not work. But the feature is highly valuable! (for ladap URIs,
you know).
So, any hint, please. (I can "work around" the problem with row
format of fields, but it's not a nice solution).

Alexey Sokolov, Yaroslavl Univ., Russia

The message when example block is included:

Error Loading extension section v3_ca
3680:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported
option:.\crypto\x509v3\v3_alt.c:557:name=subjectAltName
3680:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:93:name=subjectAltName,
value=@subject_alt_section


> NOTES
> If an extension is multi-value and a field value must contain a comma
> the long form must be used otherwise the comma would be misinterpreted as a field separator.
> For example:
>  subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> will produce an error but the equivalent form:
>  subjectAltName=@subject_alt_section
>  [subject_alt_section]
>  subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar


---
        Alexey V. Sokolov,
Mailto: [hidden email]
Callto: (4852) 248203 (ext.16)
PGPkey: http://univ.uniyar.ac.ru/~abc/abc@...

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl config; full form of multi-valued field

Victor Duchovni
On Sat, May 14, 2011 at 12:55:44PM +0400, A.B.COKO/\OB wrote:

> > For example:
> >  subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
> > will produce an error but the equivalent form:
> >  subjectAltName=@subject_alt_section
> >  [subject_alt_section]
> >  subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar

This is not the right syntax, for example with DNS names:

    subjectAltName          = @alt_names

    [ alt_names ]
    DNS.1 = a.example.com
    DNS.2 = b.example.com
    DNS.3 = c.example.com

So your [ alt_section ] needs to be a list of

        <type>.<instance_number> = value

lines. Where <type> is a valid subject altname type, and <instance_number>
is an integer counter that starts at (and increments by) 1 for each type.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re[2]: openssl config; full form of multi-valued field

A.B.COKO/\OB
Viktor, thank you a lot for the syntax: really that manual IS misleading!
Well, now I can configure good (for Microsoft) CRL distribution points:
  crlDistributionPoints = ca_cdp
  [ ca_cdp ]
   fullname = @ca_cdp_uries
   reasons  = keyCompromise
  [ ca_cdp_uries ]
   URI.1 = ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,CN=Public%20Key%20Services,CN=Services,....etc
   URI.2 = http://issuerw2k8.wud.lan/CertEnroll/ROOTCA.crl

(2) *** But: ***
how shall I cope with Authority Info Access?
Manual says:  authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
I need ldap URI with commas inside. And OpenSSL refuses my both assumptions:
 (a)  authorityInfoAccess = some_section
 (b)  authorityInfoAccess = caIssuers;@some_other_section

If there were a way to escape comma symbol in string values where sequences expected!
So please, more hints..

Alexey



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl config; full form of multi-valued field

Alexandre Aufrere-2
I'd try that way:
authorityInfoAccess = @aias

[aias]
caIssuers;URI.1=http://pervaya.ssilka/..
caIssuers;URI.2=http://vtoraya.ssilka/..

but this is just my guess... might be wrong.

Alexandre


Le 16/05/2011 11:52, A.B.COKO/\OB a écrit :

> Viktor, thank you a lot for the syntax: really that manual IS misleading!
> Well, now I can configure good (for Microsoft) CRL distribution points:
>   crlDistributionPoints = ca_cdp
>   [ ca_cdp ]
>    fullname = @ca_cdp_uries
>    reasons  = keyCompromise
>   [ ca_cdp_uries ]
>    URI.1 = ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,CN=Public%20Key%20Services,CN=Services,....etc
>    URI.2 = http://issuerw2k8.wud.lan/CertEnroll/ROOTCA.crl
>
> (2) *** But: ***
> how shall I cope with Authority Info Access?
> Manual says:  authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
> I need ldap URI with commas inside. And OpenSSL refuses my both assumptions:
>  (a)  authorityInfoAccess = some_section
>  (b)  authorityInfoAccess = caIssuers;@some_other_section
>
> If there were a way to escape comma symbol in string values where sequences expected!
> So please, more hints..
>
> Alexey
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

--
Alexandre Aufrere - OpenTrust


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re[2]: openssl config; full form of multi-valued field

A.B.COKO/\OB

Alexandre, you've got it!!!

Monday, May 16, 2011, 3:07:54 PM, you wrote:
AA> I'd try that way:
AA> authorityInfoAccess = @aias
AA> [aias]
AA> caIssuers;URI.1=http://pervaya.ssilka/..
AA> caIssuers;URI.2=http://vtoraya.ssilka/..

(3) **** So maybe you know how to deal with unknown (to ssl)
extentions? For example:
  MS revocation lists have 1.3.6.1.4.1.311.21.14 - CRL_SELF_CDP
Its structure is much the same as crlDistributionPoints (I even
inserted row format data, successfully).
    0:d=0  hl=3 l= 180 cons: SEQUENCE
    3:d=1  hl=3 l= 177 cons: SEQUENCE          
    6:d=2  hl=3 l= 174 cons: cont [ 0 ]        
    9:d=3  hl=3 l= 171 cons: cont [ 0 ]        
   12:d=4  hl=3 l= 168 prim: cont [ 6 ]        

I tried:
  1.3.6.1.4.1.311.21.14 = ASN1:SEQUENCE:crl_self
  [ crl_self ]
  URI.1 = UTF8:ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,CN=Public....
  URI.2 = UTF8:http://issuerw2k8.wud.lan/CertEnroll/RootCA.crl
or
  1.3.6.1.4.1.311.21.14 = ASN1:SEQUENCE:crl_self
  [ crl_self ]
   fullname = SEQUENCE:crl_self_2
  [ crl_self_2 ]
   URI.1 = UTF8:ldap:///CN=CA,CN=IssuerW2k8,CN=CDP,........
   URI.2 = UTF8:http://issuerw2k8.wud.lan/CertEnroll/RootCA.crl

Inner content differs, software do not recognize such object.

Your general advice: Can one construct an object for openssl.conf
just looking at its DER (or parsed) content, such as above??

Thanks in advance, Alex



   

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]