On Fri, Aug 30, 2002, Howard Chu wrote:
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Howard Chu
>
> > The output from testca is still a little dodgy, there are a few certificate
> > fields that are printed in ASCII that need to be translated to EBCDIC for
> > appearance's sake. But that's simple to fix; if you're interested
> > I'll submit
> > patches for that later.
>
> X509v3 extensions weren't handling EBCDIC correctly. Trying to set a
> subjectAltName resulted in the EBCDIC strings going into the cert, instead of
> ASCII. Here are the fixes for crypto/x509v3. Also, the ca app needs a small
> patch to translate DN components from ASCII to EBCDIC when confirming their
> values.
>
> --- v3_alt.c 2002/08/31 03:27:11 1.1
> +++ v3_alt.c 2002/08/31 03:31:54
> @@ -99,6 +99,15 @@
> return ret;
> }
>
> +#ifdef CHARSET_EBCDIC
> +static const char _unsup[] = {0x3c,0x75,0x6e,0x73,0x75,0x70,0x70,0x6f,
> + 0x72,0x74,0x65,0x64,0x3e,0 };
> +static const char _inval[] = {0x3c,0x69,0x6e,0x76,0x61,0x6c,0x69,0x64,0x3e,0};
> +#else
> +static const char _unsup[] = "<unsupported>";
> +static const char _inval[] = "<invalid>";
> +#endif
> +
> STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method,
> GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret)
> {
> @@ -107,15 +116,15 @@
> switch (gen->type)
> {
> case GEN_OTHERNAME:
> - X509V3_add_value("othername","<unsupported>", &ret);
> + X509V3_add_value("othername",_unsup, &ret);
> break;
>
> case GEN_X400:
> - X509V3_add_value("X400Name","<unsupported>", &ret);
> + X509V3_add_value("X400Name",_unsup, &ret);
> break;
>
> case GEN_EDIPARTY:
> - X509V3_add_value("EdiPartyName","<unsupported>", &ret);
> + X509V3_add_value("EdiPartyName",_unsup, &ret);
> break;
>
> case GEN_EMAIL:
> @@ -132,6 +141,9 @@
>
> case GEN_DIRNAME:
> X509_NAME_oneline(gen->d.dirn, oline, 256);
> +#ifdef CHARSET_EBCDIC
> + ebcdic2ascii(oline, oline, strlen(oline));
> +#endif
> X509V3_add_value("DirName",oline, &ret);
> break;
>
> @@ -139,15 +151,21 @@
> p = gen->d.ip->data;
> /* BUG: doesn't support IPV6 */
> if(gen->d.ip->length != 4) {
> - X509V3_add_value("IP Address","<invalid>", &ret);
> + X509V3_add_value("IP Address",_inval, &ret);
> break;
> }
> sprintf(oline, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
> +#ifdef CHARSET_EBCDIC
> + ebcdic2ascii(oline, oline, strlen(oline));
> +#endif
> X509V3_add_value("IP Address",oline, &ret);
> break;
>
> case GEN_RID:
> i2t_ASN1_OBJECT(oline, 256, gen->d.rid);
> +#ifdef CHARSET_EBCDIC
> + ebcdic2ascii(oline, oline, strlen(oline));
> +#endif
> X509V3_add_value("Registered ID",oline, &ret);
> break;
> }
> @@ -383,6 +401,9 @@
> }
>
> if(is_string) {
> +#ifdef CHARSET_EBCDIC
> + ebcdic2ascii(value, value, strlen(value));
> +#endif
> if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
> !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
> strlen(value))) {
> --- v3_utl.c 2002/08/31 03:27:11 1.1
> +++ v3_utl.c 2002/08/31 03:28:06
> @@ -111,6 +111,14 @@
> OPENSSL_free(conf);
> }
>
> +#ifdef CHARSET_EBCDIC
> +static const char _true[] = {0x54, 0x52, 0x55, 0x45, 0x00 };
> +static const char _false[] = {0x46, 0x41, 0x4c, 0x53, 0x45, 0x00};
> +#else
> +static const char _true[] = "TRUE";
> +static const char _false[] = "FALSE";
> +#endif
> +
> int X509V3_add_value_bool(const char *name, int asn1_bool,
> STACK_OF(CONF_VALUE) **extlist)
> {
Now I look at this, I'm not sure this is being handled the right way.
I don't have access to an EBCDIC box so this analysis may not be
100% accurate...
The current stuff (I think) conf->name EBCDIC but conf->value ASCII (where
it works that is).
The reason for the problem is that there are calls to:
X509V3_add_value(name, value, sk);
but there are two cases. If the call is something like:
X509V3_add_value("some_field_name",cert->foo, sk);
where cert->foo is some value from a certificate we end
up with conf->name using the native character set but
conf->value using whatever is in the certificate which
will be ASCII.
If however we do:
X509V3_add_value("some_field_name", "<unsupported>", sk);
both conf->name and conf->value have the native character set.
This isn't a problem if the native character set is ASCII, but
if it isn't the two cases will differ such as if the native
is EBCDIC.
So I'd suggest that we decide what values should go in
conf->name and conf->value. It might be advisable for both
to always use the native character set, then if you do:
if (strcmp(conf->value, "some_field_value") == 0)
it will always work.
Also I'd suggest a new function, X509V3_add_value_native()
(or whatever) which does any conversion inside and this is
always called where it might be needed. Then in the call
to X509V3_add_value_native() we can either just call
X509V3_add_value (on ASCII machines) or do the conversion
(on EBCDIC).
Steve.
--
Dr. Stephen Henson [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
