I,
some time ago a wrote a this patch to ca.c.
This adds a new option "-pkixDN".
When used this option strips the Email from the DN.
Also you need to modify openssl.cnf to make a copy of the email address
in the SubjectAltName ("subjectAltName=email:copy").
"Dr. Donal O'Mahony" wrote:
> Also - How do I get it to stop concatenating the E-mail address onto the end
> of the CommonName Attribute
>
--
FERDINANDO RICCHIUTI
Research & Development
CSP s.c. a r.l.
____________________________________________
Villa Gualino
Viale Settimo Severo, 63 - 10133 Torino [IT]
e-mail [EMAIL PROTECTED]
mob +39 (0)348 6023959
tel +39 (0)11 3165401
____________________________________________
*** ca.c.old Fri Jun 30 19:21:49 2000
--- ca.c Sun Sep 3 17:18:53 2000
***************
*** 167,172 ****
--- 167,173 ----
" -revoke file - Revoke a certificate (given in file)\n",
" -extensions .. - Extension section (override value in config file)\n",
" -crlexts .. - CRL extension section (override value in config file)\n",
+ " -pkixDN - Make a PKIX compliant DN (without the EMail attribute)\n",
NULL
};
***************
*** 207,217 ****
--- 208,220 ----
X509_REQ *req, char *ext_sect, LHASH *conf);
static int do_revoke(X509 *x509, TXT_DB *db);
static int check_time_format(char *str);
+ static void do_pkixDN(X509_NAME *DN);
static LHASH *conf=NULL;
static char *section=NULL;
static int preserve=0;
static int msie_hack=0;
+ static int pkixDN=0;
int MAIN(int, char **);
***************
*** 415,420 ****
--- 418,425 ----
if (--argc < 1) goto bad;
crl_ext= *(++argv);
}
+ else if (strcmp(*argv,"-pkixDN") == 0)
+ pkixDN=1;
else
{
bad:
***************
*** 1477,1483 ****
char *startdate, char *enddate, int days, int batch, int verbose,
X509_REQ *req, char *ext_sect, LHASH *lconf)
{
! X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
ASN1_UTCTIME *tm,*tmptm;
ASN1_STRING *str,*str2;
ASN1_OBJECT *obj;
--- 1482,1488 ----
char *startdate, char *enddate, int days, int batch, int verbose,
X509_REQ *req, char *ext_sect, LHASH *lconf)
{
! X509_NAME *name=NULL,*CAname=NULL,*subject=NULL,*pkix_subject=NULL;
ASN1_UTCTIME *tm,*tmptm;
ASN1_STRING *str,*str2;
ASN1_OBJECT *obj;
***************
*** 1696,1702 ****
if (verbose)
BIO_printf(bio_err,"The subject name appears to be ok, checking data
base for clashes\n");
! row[DB_name]=X509_NAME_oneline(subject,NULL,0);
row[DB_serial]=BN_bn2hex(serial);
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
--- 1701,1712 ----
if (verbose)
BIO_printf(bio_err,"The subject name appears to be ok, checking data
base for clashes\n");
! pkix_subject=X509_NAME_dup(subject);
! if (pkix_subject == NULL) goto err;
!
! if (pkixDN) do_pkixDN(pkix_subject);
!
! row[DB_name]=X509_NAME_oneline(pkix_subject,NULL,0);
row[DB_serial]=BN_bn2hex(serial);
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
***************
*** 1837,1842 ****
--- 1847,1854 ----
EVP_PKEY_free(pktmp);
#endif
+ if (!X509_set_subject_name(ret,pkix_subject)) goto err;
+
if (!X509_sign(ret,pkey,dgst))
goto err;
***************
*** 1892,1897 ****
--- 1904,1911 ----
X509_NAME_free(CAname);
if (subject != NULL)
X509_NAME_free(subject);
+ if (pkix_subject != NULL)
+ X509_NAME_free(pkix_subject);
if (tmptm != NULL)
ASN1_UTCTIME_free(tmptm);
if (ok <= 0)
***************
*** 2233,2235 ****
--- 2247,2265 ----
return(ok);
}
+ static void do_pkixDN(X509_NAME *DN)
+ {
+ int nec,i;
+ X509_NAME_ENTRY *ne;
+ ASN1_OBJECT *obj;
+
+ nec=X509_NAME_entry_count(DN);
+ for (i=0;i<nec;i++)
+ {
+ ne=(X509_NAME_ENTRY *)X509_NAME_get_entry(DN,i);
+ obj=X509_NAME_ENTRY_get_object(ne);
+ if (OBJ_obj2nid(obj)==NID_pkcs9_emailAddress)
+ X509_NAME_delete_entry(DN,i);
+ }
+
+ }
