serialNumber with openssl ca
Hi,
I wrote the same mail to openssl-users too but nobody answers. So I
write again and attach the diffs.
I used "openssl ca -subj ...".
If I used serialNumber in the DN then OpenSSL reports the following:
The Subject's Distinguished Name is as follows
serialNumber :PRINTABLE:'02'
commonName:PRINTABLE:'ra.hu-berlin.de'
organizationalUnitName:PRINTABLE:'Trustcenter'
organizationName :PRINTABLE:'Humboldt-Universitaet zu Berlin'
countryName :PRINTABLE:'DE'
Certificate is to be certified until Mar 7 14:38:38 2003 GMT (365 days)
Now you can see the output of openssl x509 -text:
Subject: SN=02, CN=ra.hu-berlin.de, OU=Trustcenter,
O=Humboldt-Universitaet zu Berlin, C=DE
There are three files which are using definitions which are not conform
to the standards:
crypto/objects/objects.h
crypto/objects/obj_dat.h
crypto/objects/obj_mac.h
The use SN_surname and SN_serialNumber (SN == Short Name?).
SN_serialNumber "SN"
SN_surname "S"
This is not conform to the definitions in the LDAP-schemes. Can you fix
this or change the output in another way to match the LDAP-schemes? If
it is a too big change then is it possible to introduce some new
#defines
which are conform to the standard so that the output of -text is a
usable DN? I attached the fixes for the headerfiles.
>From OpenLDAP 2.0.x
attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' ) SUP name )
attributetype ( 2.5.4.5 NAME 'serialNumber' EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
So serialNumber has no short name but a long name is better than a DN
which conflicts with a standard (or the functions must use LN_*).
Cheers, Michael
--
---
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
746c746
< {"S","surname",NID_surname,3,&(lvalues[538]),0},
---
> {"SN","surname",NID_surname,3,&(lvalues[538]),0},
753c753
< {"SN","serialNumber",NID_serialNumber,3,&(lvalues[555]),0},
---
> {"serialNumber","serialNumber",NID_serialNumber,3,&(lvalues[555]),0},
1827c1827
< #define SN_surname"S"
---
> #define SN_surname"SN"
1832c1832
< #define SN_serialNumber "SN"
---
> #define SN_serialNumber "serialNumber"
545c545
< #define SN_surname"S"
---
> #define SN_surname"SN"
570c570
< #define SN_serialNumber "SN"
---
> #define SN_serialNumber "serialNumber"
Re: serialNumber with openssl ca
> This is not conform to the definitions in the LDAP-schemes. Hey! I just found the same problem from the opposit direction; "surname" is being mapped to "s=" instead of "sn="... Fun, wow. -- Harald Koch <[EMAIL PROTECTED]> "It takes a child to raze a village." -Michael T. Fry __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serialNumber with openssl ca
Harald Koch wrote: > > > This is not conform to the definitions in the LDAP-schemes. > > Hey! I just found the same problem from the opposit direction; "surname" > is being mapped to "s=" instead of "sn="... The patches fix both problems surname and serialNumber. Cheers, Michael -- --- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serialNumber with openssl ca
On Fri, Mar 15, 2002 at 03:19:33PM +0100, Michael Bell wrote: > I used "openssl ca -subj ...". > > If I used serialNumber in the DN then OpenSSL reports the following: > > The Subject's Distinguished Name is as follows > serialNumber :PRINTABLE:'02' > commonName:PRINTABLE:'ra.hu-berlin.de' > organizationalUnitName:PRINTABLE:'Trustcenter' > organizationName :PRINTABLE:'Humboldt-Universitaet zu Berlin' > countryName :PRINTABLE:'DE' > Certificate is to be certified until Mar 7 14:38:38 2003 GMT (365 days) > > Now you can see the output of openssl x509 -text: > > Subject: SN=02, CN=ra.hu-berlin.de, OU=Trustcenter, > O=Humboldt-Universitaet zu Berlin, C=DE > > There are three files which are using definitions which are not conform > to the standards: > > crypto/objects/objects.h > crypto/objects/obj_dat.h > crypto/objects/obj_mac.h > > The use SN_surname and SN_serialNumber (SN == Short Name?). > > SN_serialNumber "SN" > SN_surname "S" I have just checked in an according patch. Please note that objects.h is no longer used (well, the file is still available, but the actual information is #ifdef'ed out and obj_mac.h is included). Please test out the next snapshot. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serialNumber with openssl ca
> > I have just checked in an according patch. Please note that objects.h > is no longer used (well, the file is still available, but the actual > information is #ifdef'ed out and obj_mac.h is included). > Please test out the next snapshot. I made the objects.txt patch to my source tree about a week ago, and it has been working fine over here. I'll try to update to a recent snapshot soon and test that out... -- Harald Koch <[EMAIL PROTECTED]> "It takes a child to raze a village." -Michael T. Fry __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
