new oid in subject alt name
Title: new oid in subject alt name
Hi
I want to add a new oid in the subject altname and I can't do it.
I have look at sources (v3.alt.c) and i have seen the function which returns an error :
--
GENERAL_NAME *v2i_GENERAL_NAME(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
CONF_VALUE *cnf)
{
char is_string = 0;
int type;
GENERAL_NAME *gen = NULL;
char *name, *value;
name = cnf->name;
value = cnf->value;
if(!value) {
X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_MISSING_VALUE);
return NULL;
}
if(!(gen = GENERAL_NAME_new())) {
X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
return NULL;
}
if(!name_cmp(name, "email")) {
is_string = 1;
type = GEN_EMAIL;
} else if(!name_cmp(name, "URI")) {
is_string = 1;
type = GEN_URI;
} else if(!name_cmp(name, "DNS")) {
is_string = 1;
type = GEN_DNS;
} else if(!name_cmp(name, "RID")) {
ASN1_OBJECT *obj;
if(!(obj = OBJ_txt2obj(value,0))) {
X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_OBJECT);
ERR_add_error_data(2, "value=", value);
goto err;
}
gen->d.rid = obj;
type = GEN_RID;
} else if(!name_cmp(name, "IP")) {
int i1,i2,i3,i4;
unsigned char ip[4];
if((sscanf(value, "%d.%d.%d.%d",&i1,&i2,&i3,&i4) != 4) ||
(i1 < 0) || (i1 > 255) || (i2 < 0) || (i2 > 255) ||
(i3 < 0) || (i3 > 255) || (i4 < 0) || (i4 > 255) ) {
X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_BAD_IP_ADDRESS);
ERR_add_error_data(2, "value=", value);
goto err;
}
ip[0] = i1; ip[1] = i2 ; ip[2] = i3 ; ip[3] = i4;
if(!(gen->d.ip = M_ASN1_OCTET_STRING_new()) ||
!ASN1_STRING_set(gen->d.ip, ip, 4)) {
X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
goto err;
}
type = GEN_IPADD;
} else {
X509V3err(X509V3_F_V2I_GENERAL_NAME,X509V3_R_UNSUPPORTED_OPTION);
ERR_add_error_data(2, "name=", name);
goto err;
}
if(is_string) {
if(!(gen->d.ia5 = M_ASN1_IA5STRING_new()) ||
!ASN1_STRING_set(gen->d.ia5, (unsigned char*)value,
strlen(value))) {
X509V3err(X509V3_F_V2I_GENERAL_NAME,ERR_R_MALLOC_FAILURE);
goto err;
}
}
gen->type = type;
return gen;
err:
GENERAL_NAME_free(gen);
return NULL;
}
---
Now, i understand why i cannot add a new oid in the subject altname.
But, i don't understand theses restrictions about oids accepted for subject alt name (email,ip,...)? What are the reasons?
Thank you very much.
ps : i have alreeady sent this mail in openssl-users mailing list but i haven't received any answer.
Re: How best to build certificates for New business naming scheme
Thanks Oscar, Your information has been very helpful. For us, the basics is having a system that is inexpensive and works reliably. This could never be said for X.500 and that's why we see so few systems based on those proposed standards in the world today. Why we are bothering, is that X.500 had many good ideas all those years ago. We're now resurrecting those ideas and building them into a IRBM (Instant Reliable Business Messaging) system that works. I take my hat off to all the guys like you who are working diligently to ensure that all the little things in OpenSSL are working properly. You're doing a great job. Keep it up. We on the other hand are doing something a little different that hasn't quite been done before and we need to "break a few rules" in order to make a system that is inexpensive whilst at the same time user friendly and reliable. In any case, we're having a lot of fun doing it, and our customers keep wanting more so we have to continue. Have a great day, David Lyon Product Manager Global TradeDesk www.globaltradedesk.com - Original Message - From: "Oscar Jacobsson" <[EMAIL PROTECTED]> To: "David Lyon" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, April 16, 2002 10:53 PM Subject: Re: How best to build certificates for New business naming scheme > Might I then suggest brushing up on your basics before venturing > further? > > file://oscar > > David Lyon wrote: > > > > > This does break the naming recommendations given in X.521 Annex B > > > though, which don't allow for a stateOrProvinceName. > > > > Yes, of course. The old Annex B, we obviously forgot about that one. > __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Small patch to 0.9.6c crypto/objects/obj_dat.c
I just checked the CVS head and this patch should be valid there as well:
diff -u -r1.1 obj_dat.c
--- obj_dat.c 2002/04/18 04:34:17 1.1
+++ obj_dat.c 2002/04/18 04:35:10
@@ -437,8 +437,7 @@
return(0);
}
- nid=OBJ_obj2nid(a);
- if ((nid == NID_undef) || no_name) {
+ if (no_name || (nid=OBJ_obj2nid(a)) == NID_undef) {
len=a->length;
p=a->data;
(Just a slight speedup when I'm munging DNs by OID...) I hope you can commit
this for 0.9.6d/0.9.7 without too much trouble. :)
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
