Re: strangeness in `x509 -noout -text` output
Lutz Jaenicke schrieb: On Mon, Apr 29, 2002 at 10:33:10AM +0200, Michael Bell wrote: The only problem for the future is the support of this flag in all the other tools (especially ca and req have problems with their option -subj). Robert Joop sent a patch last week (not applied, yet). Does it solve the problems you mention? The problem which I mean is more general. The parser of the value which is passed to openssl -subj is not really clever. So the my comment was only a notice for the future. It is not relevant for 0.9.7. Another problem (which I found yesterday evening) are req and crl. Both tools don't have the option -nameopt but they display an issuer (crl) or a DN (req). Perhaps the new functions (to display the DN in various formats) are not usable for them because they are x509-functions. Michael -- --- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
Lutz Jaenicke schrieb: On Sun, Apr 28, 2002 at 08:07:43PM +0100, Dr S N Henson wrote: However a new FAQ entry might be in order or possibly changing the default display options so that the old behaviour is no longer the default and adding a -nameopt old option is explicitly needed instead. -nameopt compat shall retain compatibility. Hmm, make oneline the new default? Or rather leave it as is and just add it to the FAQ. Robert Joop and Michael Bell, active in discussing DN issues, are with the OpenCA project. It should be possible for them to catch the problem by using an appropriate command line flag when calling openssl x509. I think the FAQ entry is enough. If you set a new default then you can surprise many small scripts and their users. The flag -nameopt is a good solution. The only problem for the future is the support of this flag in all the other tools (especially ca and req have problems with their option -subj). I found a small problem with -nameopt RFC2253: The X509v3 Authority Key Identifier doesn't use -nameopt for DirName. Is this DN stored as a string? Michael -- --- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote: `x509 -noout -text` prints inconsistent output. ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED] see the / that magically appears, instead of a , ? if found the place that does this magic and commented it out: ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED] it does it because the type emailAddress starts lower case! Your analysis is technically correct. If the object name is starting with an uppercase letter, the / is replaced with the , , otherwise it is not. However: the section you are essentially removing (by commenting out) may be there for a reason. I have not used this functionality myself, so I don't know why this distinction is made. Therefore I am reluctant to touch it. Steve, could you kindly have a look into this? --- orig/openssl-SNAP-20020423/crypto/asn1/t_x509.c Wed Feb 13 20:00:30 2002 +++ openssl-SNAP-20020423/crypto/asn1/t_x509.cFri Apr 26 11:50:13 2002 @@ -460,12 +461,12 @@ for (;;) { #ifndef CHARSET_EBCDIC - if (((*s == '/') + if (((*s == '/') /* ((s[1] = 'A') (s[1] = 'Z') ( (s[2] == '=') || ((s[2] = 'A') (s[2] = 'Z') (s[3] == '=')) - ))) || + ))*/) || (*s == '\0')) #else if (((*s == '/') Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
In message [EMAIL PROTECTED] on Sun, 28 Apr 2002 19:59:33 +0200, Lutz Jaenicke [EMAIL PROTECTED] said: Lutz.Jaenicke On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote: Lutz.Jaenicke `x509 -noout -text` prints inconsistent output. Lutz.Jaenicke Lutz.Jaenicke ... openssl x509 -noout -text -in old.pem | grep Issuer: Lutz.Jaenicke Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES Lutz.Jaenicke ... openssl x509 -noout -text -in new.pem | grep Issuer: Lutz.Jaenicke Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED] Lutz.Jaenicke Lutz.Jaenicke see the / that magically appears, instead of a , ? Lutz.Jaenicke if found the place that does this magic and commented it out: Lutz.Jaenicke Lutz.Jaenicke ... openssl x509 -noout -text -in old.pem | grep Issuer: Lutz.Jaenicke Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES Lutz.Jaenicke ... openssl x509 -noout -text -in new.pem | grep Issuer: Lutz.Jaenicke Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED] Lutz.Jaenicke Lutz.Jaenicke it does it because the type emailAddress starts lower case! Lutz.Jaenicke Lutz.Jaenicke Your analysis is technically correct. If the object name is starting with Lutz.Jaenicke an uppercase letter, the / is replaced with the , , otherwise it is Lutz.Jaenicke not. Note that with 0.9.7, 'openssl x509' comes with the new option -nameopt, where you can choose from a number of formats. They are documented at http://www.openssl.org/docs/apps/x509.html#NAME_OPTIONS Lutz.Jaenicke However: the section you are essentially removing (by commenting out) Lutz.Jaenicke may be there for a reason. I have not used this functionality myself, Lutz.Jaenicke so I don't know why this distinction is made. Therefore I am reluctant Lutz.Jaenicke to touch it. Steve, could you kindly have a look into this? Yup, do not apply that patch. That'll destroy compatibility for applications that depend on this string format. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
Lutz Jaenicke wrote: On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote: `x509 -noout -text` prints inconsistent output. ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED] see the / that magically appears, instead of a , ? if found the place that does this magic and commented it out: ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED] it does it because the type emailAddress starts lower case! Your analysis is technically correct. If the object name is starting with an uppercase letter, the / is replaced with the , , otherwise it is not. However: the section you are essentially removing (by commenting out) may be there for a reason. I have not used this functionality myself, so I don't know why this distinction is made. Therefore I am reluctant to touch it. Steve, could you kindly have a look into this? By default the code ultimately uses the old X509_NAME_print function to display DNs. This results in the weirdness mentioned and all manner of odd output if the DN contains things like BMPStrings. X509_NAME_print is only retained for compatibility. Changing it might do odd things if anyone parses or hashes its output for some reason: that isn't advisable but something might. If appropriate flags are passed to the X509_print_ex function then much more sensible output is produced using the X509_NAME_print_ex function. The -nameopt option can be used for this (see manual page): -nameopt oneline is a good place to start. I'd say that X509_NAME_print shouldn't be touched because new code should call X509_NAME_print_ex() However a new FAQ entry might be in order or possibly changing the default display options so that the old behaviour is no longer the default and adding a -nameopt old option is explicitly needed instead. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: strangeness in `x509 -noout -text` output
On Sun, Apr 28, 2002 at 08:07:43PM +0100, Dr S N Henson wrote: By default the code ultimately uses the old X509_NAME_print function to display DNs. This results in the weirdness mentioned and all manner of odd output if the DN contains things like BMPStrings. X509_NAME_print is only retained for compatibility. Changing it might do odd things if anyone parses or hashes its output for some reason: that isn't advisable but something might. If appropriate flags are passed to the X509_print_ex function then much more sensible output is produced using the X509_NAME_print_ex function. The -nameopt option can be used for this (see manual page): -nameopt oneline is a good place to start. I'd say that X509_NAME_print shouldn't be touched because new code should call X509_NAME_print_ex() However a new FAQ entry might be in order or possibly changing the default display options so that the old behaviour is no longer the default and adding a -nameopt old option is explicitly needed instead. -nameopt compat shall retain compatibility. Hmm, make oneline the new default? Or rather leave it as is and just add it to the FAQ. Robert Joop and Michael Bell, active in discussing DN issues, are with the OpenCA project. It should be possible for them to catch the problem by using an appropriate command line flag when calling openssl x509. With 0.9.7 we have traded compatibility in some cases. Applications linking against OpenSSL can always check OPENSSL_VERSION. This is far more difficult for applications externally calling OpenSSL's command line tools... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
strangeness in `x509 -noout -text` output
`x509 -noout -text` prints inconsistent output. ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED] see the / that magically appears, instead of a , ? if found the place that does this magic and commented it out: ... openssl x509 -noout -text -in old.pem | grep Issuer: Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES ... openssl x509 -noout -text -in new.pem | grep Issuer: Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED] it does it because the type emailAddress starts lower case! rj --- orig/openssl-SNAP-20020423/crypto/asn1/t_x509.c Wed Feb 13 20:00:30 2002 +++ openssl-SNAP-20020423/crypto/asn1/t_x509.c Fri Apr 26 11:50:13 2002 @@ -460,12 +461,12 @@ for (;;) { #ifndef CHARSET_EBCDIC - if (((*s == '/') + if (((*s == '/') /* ((s[1] = 'A') (s[1] = 'Z') ( (s[2] == '=') || ((s[2] = 'A') (s[2] = 'Z') (s[3] == '=')) -))) || +))*/) || (*s == '\0')) #else if (((*s == '/')