RE: cmd line and subjectAltName
> From: owner-openssl-users On Behalf Of Anders Larsson > Sent: Tuesday, December 03, 2013 17:20 > Im trying to use subjectAltName when im generating a csr on the > commandline. > > I been trying with the "-reqexts" flag, but im only getting errors > 'Openssl req -new -key debug.key -passin pass:abcd -out debug.csr -subj > '/C=SE/ST=Stockholm/L=Stockholm/O=ABC/OU=IntSys/CN=some.dns.stuff.int/' - > reqexts subjectAltName=DNS:xyz.host.name.cc.int' > As Ryan answered, -reqexts specifies a section of the config file, so there must be a config file. > All it gives is a: "Error Loading request extension section > subjectAltName=DNS:xyz.host.name.cc.int > > The config file is an option that seems to work, but I have not been able to mix > config file with cmd-line parametersAs soon as I try the openssl req seems to > require the subject to be inside the config file :-/ > Be clear if you mean subject or SAN. They are different. Subject in req -new can be done 3 ways: - actual values in the config file, with prompt=no in the config file - prompts in the config file, and you answer interactively, or you pipe or redirect from somewhere but that's very fragile - -subj on the command line, but you must still have a section in the config file with at least one entry even though it isn't used And as someone pointed out to me recently, with -subj you can create an EMPTY subject, which req won't do the other ways. RFC 5280 allows cert subject to be empty when SAN is used, and some (many?) people consider this preferable. That doesn't necessarily mean *CSR* subject must be empty, since a CA could discard CSR subject when issuing cert . I could even see a plausible use case for this; CA might do validation of the requestor based partly on CSR.subject. SAN extension in req -new can only be done from config file. > The CA used is an internal one. > > Is it possible, and if so, how do I format the cmd-line to make it accept x509 > extensions from the cmd-line? > Be careful of this one too. Although X.509 defines some (not all) of the extensions used in CSRs and certs, and CRLs, openssl often uses x509 to mean specifically certs. In particular for 'req', x509_extensions in the config file is used for a selfsigned cert created with -new -x509, while req_extensions is used for a CSR. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cmd line and subjectAltName
You could use a different config file and reference it on the command line. Reqexts is used to reference a section in a config file. Ryan Hurst Sent from my phone, please forgive the brevity. > On Dec 3, 2013, at 5:19 PM, Anders Larsson wrote: > > Hmm somehow the e-mail got cut after 1'st line? :-( > > Thanks Ryan for the echo suggestion, but it will just end up in an config > file. > Also since im running the CA internally it will use the information. > > If there is a -reqexts flag? What use is it if it cannot add extensions? > Especially since a subjectAltName is probably one of the most well used > objects? > > Or should I completely avoid the cmd-line csr generation "oneliner" and > always go for a config file? > > With Regards > /Anders > > --orginal message below- > Hello. > > Im trying to use subjectAltName when im generating a csr on the commandline. > > I been trying with the "-reqexts" flag, but im only getting errors > 'Openssl req -new -key debug.key -passin pass:abcd -out debug.csr -subj > '/C=SE/ST=Stockholm/L=Stockholm/O=ABC/OU=IntSys/CN=some.dns.stuff.int/' > -reqexts subjectAltName=DNS:xyz.host.name.cc.int' > > All it gives is a: "Error Loading request extension section > subjectAltName=DNS:xyz.host.name.cc.int > > The config file is an option that seems to work, but I have not been able to > mix config file with cmd-line parametersAs soon as I try the openssl req > seems to require the subject to be inside the config file :-/ > > The CA used is an internal one. > > Is it possible, and if so, how do I format the cmd-line to make it accept > x509 extensions from the cmd-line? > > With Regards > /Anders > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cmd line and subjectAltName
Well I provided a windows example of the same approach but it's not purely from the command line. Ryan Hurst Sent from my phone, please forgive the brevity. > On Dec 3, 2013, at 5:20 PM, Viktor Dukhovni > wrote: > >> On Tue, Dec 03, 2013 at 12:29:09PM -0800, Ryan Hurst wrote: >> >> Cant be done, though most CAs dont use this information from the request. > > It can be done in a sense on systems with shells (e.g. bash) that > support command-line ephemeral file-handles. > >$ openssl req -new -config <( >cat <<-EOF >[req] >default_bits = 2048 >prompt = no >default_md = sha1 >req_extensions = req_ext >distinguished_name = dn >[ dn ] >CN = example.com >[ req_ext ] >subjectAltName = ... >EOF >) ... > > -- >Viktor. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cmd line and subjectAltName
On Tue, Dec 03, 2013 at 12:29:09PM -0800, Ryan Hurst wrote: > Cant be done, though most CAs dont use this information from the request. It can be done in a sense on systems with shells (e.g. bash) that support command-line ephemeral file-handles. $ openssl req -new -config <( cat <<-EOF [req] default_bits = 2048 prompt = no default_md = sha1 req_extensions = req_ext distinguished_name = dn [ dn ] CN = example.com [ req_ext ] subjectAltName = ... EOF ) ... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: cmd line and subjectAltName
Hmm somehow the e-mail got cut after 1'st line? :-( Thanks Ryan for the echo suggestion, but it will just end up in an config file. Also since im running the CA internally it will use the information. If there is a -reqexts flag? What use is it if it cannot add extensions? Especially since a subjectAltName is probably one of the most well used objects? Or should I completely avoid the cmd-line csr generation "oneliner" and always go for a config file? With Regards /Anders --orginal message below- Hello. Im trying to use subjectAltName when im generating a csr on the commandline. I been trying with the "-reqexts" flag, but im only getting errors 'Openssl req -new -key debug.key -passin pass:abcd -out debug.csr -subj '/C=SE/ST=Stockholm/L=Stockholm/O=ABC/OU=IntSys/CN=some.dns.stuff.int/' -reqexts subjectAltName=DNS:xyz.host.name.cc.int' All it gives is a: "Error Loading request extension section subjectAltName=DNS:xyz.host.name.cc.int The config file is an option that seems to work, but I have not been able to mix config file with cmd-line parametersAs soon as I try the openssl req seems to require the subject to be inside the config file :-/ The CA used is an internal one. Is it possible, and if so, how do I format the cmd-line to make it accept x509 extensions from the cmd-line? With Regards /Anders __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
> From: owner-openssl-users On Behalf Of Danyk
> Sent: Tuesday, December 03, 2013 12:35
> "Almost. If the actual value is not OCTET STRING, change the type created
> in the first two (or whatever) lines, and i2d'ed in the fourth line.
> And OPENSSL_free the pointer allocated here (d) after you're
> done with that memory. "
>
> I need to add an INTEGER extensions and PRINTABLESTRING extension.
> I tried folowing your instructions, and used an exmple from this forum,
but
> still get rubbish
>
> //1) create the integer and populate it:
>
> nid = OBJ_create(" 1.3.6.1.4.1.12345", "EndEntityType",
> "EndEntityType");
> ASN1_OBJECT* obj = OBJ_nid2obj(nid);
>
> ASN1_INTEGER * int1 = ASN1_INTEGER_new();
> ASN1_INTEGER_set(int1, 1);
>
> //2) figure out the length it would take when converted from
> internal into der/asn1 wire encoding:
>
> int n = i2d_ASN1_INTEGER(int1,NULL);
>
You don't *need* to precompute the length, allocate memory,
and then use it. For about 10 years i2d_* will allocate for you,
as you had in your 11/28 post. But if you want the harder way:
> //3) Ensure we have the needed space for that:
>
> ASN1_OCTET_STRING data1;
> data1.data = malloc(n);
> data1.length = n;
>
That leaves .type and .flags uninitialized, and depending on your C
implementation
and the rest of your code probably garbage. It appears for this particular
code
you don't actually need those fields, but it's very imprudent to depend on
that.
Either set them explicitly, or at least fill (usually memset) the whole
struct to 0
before using it so you don't get 'Heisenbugs'. And in real code you should
check
for malloc failure (returned null) before using it.
> //4) Fill out the ASN1 string by translating it again - this time
> into the buffer.
>
> unsigned char * p =M_ASN1_STRING_data(&data1);
> i2d_ASN1_INTEGER(int1,&p);
>
It's confusing to set fields explicitly but use a macro to get one.
You've already 'broken' the (weak) encapsulation, just use data1.data.
Alternatively and arguably cleaner do something like:
int len = i2d_type (value, NULL);
unsigned char * buf = malloc (len), * ptr = buf;
i2d_type (value, &ptr);
ASN1_OCTET_STRING * encoded = ASN1_OCTET_STRING_new ();
ASN1_OCTET_STRING_set (encoded, buf, len);
free (buf);
// use encoded for the extension value
or as above let i2d do allocation for you:
unsigned char *buf = NULL;
int len = i2d_type (value, &buf);
// set the OCTET_STRING as above
OPENSSL_free (buf);
> //5) add to the extension stack.
>
> sk_X509_EXTENSION_push(st_exts,
> X509_EXTENSION_create_by_OBJ(NULL,
> obj, 0, &data1));
>
> what is wrong with this?
>
Except as above, nothing. (Assuming of course you then put st_exts in the
req,
but you showed that correct before.) Code almost equivalent to this works
for me,
with the only significant differences that I use the config file for the new
OID (so
the name is available at display) and I create EXTN by_NID instead of by
_OBJ.
(ISTR you had that also, but I'd have to go back and search for it.)
What do you mean by "rubbish"? Post an asn1parse (or a PEM) and say
what you think is wrong in it.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: cmd line and subjectAltName
Cant be done, though most CAs dont use this information from the request. Can do something like this: rem 8. CN, O, OU1, OU2, E, city and all SAN types /w SHA1 & 2048 echo [ req ]>test8.cnf echo default_bits = 2048>>test8.cnf echo prompt = no>>test8.cnf echo encrypt_key = no>>test8.cnf echo default_md = sha1>>test8.cnf echo distinguished_name = dn>>test8.cnf echo req_extensions = req_ext>>test8.cnf echo [ dn ]>>test8.cnf echo CN = test8.com>>test8.cnf echo emailAddress = te...@test8.com>>test8.cnf echo O = organisation>>test8.cnf echo L = city>>test8.cnf echo ST = state>>test8.cnf echo C = US>>test8.cnf echo 0.OU= unit1>>test8.cnf echo 1.OU= unit2>>test8.cnf echo [ req_ext ]>>test8.cnf echo subjectAltName = DNS:test8.com, email:te...@test8.com, IP:192.168.0.1, RID:1.2.3.4.5.6, URI:/urihere>>test8.cnf openssl req -new -config test8.cnf -keyout test8.com.key -out test8.com.csr On Tue, Dec 3, 2013 at 2:10 AM, Anders Larsson wrote: > Hello. > > Im trying to use subjectAltName when im generating a csr on the > commandline__ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
cmd line and subjectAltName
Hello. Im trying to use subjectAltName when im generating a csr on the commandline__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Adding a custom extension to a CSR
"Almost. If the actual value is not OCTET STRING, change the type created
in the first two (or whatever) lines, and i2d'ed in the fourth line.
And OPENSSL_free the pointer allocated here (d) after you're
done with that memory. "
I need to add an INTEGER extensions and PRINTABLESTRING extension.
I tried folowing your instructions, and used an exmple from this forum, but
still get rubbish
//1) create the integer and populate it:
nid = OBJ_create(" 1.3.6.1.4.1.12345", "EndEntityType",
"EndEntityType");
ASN1_OBJECT* obj = OBJ_nid2obj(nid);
ASN1_INTEGER * int1 = ASN1_INTEGER_new();
ASN1_INTEGER_set(int1, 1);
//2) figure out the length it would take when converted from
internal into der/asn1 wire encoding:
int n = i2d_ASN1_INTEGER(int1,NULL);
//3) Ensure we have the needed space for that:
ASN1_OCTET_STRING data1;
data1.data = malloc(n);
data1.length = n;
//4) Fill out the ASN1 string by translating it again - this time
into the buffer.
unsigned char * p =M_ASN1_STRING_data(&data1);
i2d_ASN1_INTEGER(int1,&p);
//5) add to the extension stack.
sk_X509_EXTENSION_push(st_exts, X509_EXTENSION_create_by_OBJ(NULL,
obj, 0, &data1));
what is wrong with this?
--
View this message in context:
http://openssl.6102.n7.nabble.com/Adding-a-custom-extension-to-a-CSR-tp47446p47537.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
