Re: Parsing subject/issuer strings in X.509

2021-07-23 Thread Philip Prindeville 
Yeah, agreed, although I'd like the parser to work with the output of "openssl 
x509 ... -subject", i.e. RFC-4514 format, which is "CN=name, O=Acme 
Corporation, C=US" ... etc.



> On Jul 23, 2021, at 12:57 AM, David von Oheimb  wrote:
> 
> What I use is
> 
> X509_NAME *nname = parse_name(string, MBSTRING_ASC, 1, desc);
> 
> which is not an official API function but defined in apps/lib/apps.c:
> 
> /*
>  * name is expected to be in the format /type0=value0/type1=value1/type2=...
>  * where + can be used instead of / to form multi-valued RDNs if canmulti
>  * and characters may be escaped by \
>  */
> X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const char 
> *desc)
> 
> Would be good to have such a function as part of the X.509 API.
> 
> David
> 
> On 23.07.21 07:49, Viktor Dukhovni wrote:
>>> On 22 Jul 2021, at 9:29 pm, Philip Prindeville 
>>> 
>>>  wrote:
>>> 
>>> I'm wondering what the function is that takes a string and returns 
>>> X509_NAME with the attribute/value pairs of the parsed DN.
>>> 
>> There is no such function in general, since the are many potential
>> string forms of X.509 names, not all of which are unambiguously
>> machine readable.
>> 
>> There are various functions for augmenting a partially built name
>> with an attribute-value pair, but the parsing of a string a list
>> of such attribute-value pairs is up to you. :-(
>> 
>>

Re: Parsing subject/issuer strings in X.509

2021-07-23 Thread Philip Prindeville 



> On Jul 23, 2021, at 8:52 AM, Viktor Dukhovni  
> wrote:
> 
>> On 23 Jul 2021, at 2:57 am, David von Oheimb  wrote:
>> 
>> What I use is
>> 
>>X509_NAME *nname = parse_name(string, MBSTRING_ASC, 1, desc);
>> 
>> which is not an official API function but defined in apps/lib/apps.c:
>> 
>> /*
>> * name is expected to be in the format /type0=value0/type1=value1/type2=...
>> * where + can be used instead of / to form multi-valued RDNs if canmulti
>> * and characters may be escaped by \
>> */
>> X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const char 
>> *desc)
>> 
>> Would be good to have such a function as part of the X.509 API.
> 
> Note that the "/"-separated form is not the output format of the issuer or
> subject names in X509_NAME_oneline(3), x509(1), ...  So a public API for
> that format may not be a good idea.  Perhaps there could be parsers for
> the "rfc2253", "rfc2254" and "oneline" formats (or a single parser with
> flags to select the format).
> 
> -- 
>   Viktor.
> 


And "rfc4514"... yeah, that would work too.

-Philip

Re: Parsing subject/issuer strings in X.509

2021-07-23 Thread Philip Prindeville 
Yeah, agreed, although I'd like the parser to work with the output of "openssl 
x509 ... -subject", i.e. RFC-4514 format, which is "CN=name, O=Acme 
Corporation, C=US" ... etc.



> On Jul 23, 2021, at 12:57 AM, David von Oheimb  wrote:
> 
> What I use is
> 
> X509_NAME *nname = parse_name(string, MBSTRING_ASC, 1, desc);
> 
> which is not an official API function but defined in apps/lib/apps.c:
> 
> /*
>  * name is expected to be in the format /type0=value0/type1=value1/type2=...
>  * where + can be used instead of / to form multi-valued RDNs if canmulti
>  * and characters may be escaped by \
>  */
> X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const char 
> *desc)
> 
> Would be good to have such a function as part of the X.509 API.
> 
> David
> 
> On 23.07.21 07:49, Viktor Dukhovni wrote:
>>> On 22 Jul 2021, at 9:29 pm, Philip Prindeville 
>>>  
>>>  wrote:
>>> 
>>> I'm wondering what the function is that takes a string and returns 
>>> X509_NAME with the attribute/value pairs of the parsed DN.
>> There is no such function in general, since the are many potential
>> string forms of X.509 names, not all of which are unambiguously
>> machine readable.
>> 
>> There are various functions for augmenting a partially built name
>> with an attribute-value pair, but the parsing of a string a list
>> of such attribute-value pairs is up to you. :-(
>>

Re: Parsing subject/issuer strings in X.509

2021-07-23 Thread Viktor Dukhovni 
> On 23 Jul 2021, at 2:57 am, David von Oheimb  wrote:
> 
> What I use is
> 
> X509_NAME *nname = parse_name(string, MBSTRING_ASC, 1, desc);
> 
> which is not an official API function but defined in apps/lib/apps.c:
> 
> /*
>  * name is expected to be in the format /type0=value0/type1=value1/type2=...
>  * where + can be used instead of / to form multi-valued RDNs if canmulti
>  * and characters may be escaped by \
>  */
> X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const char 
> *desc)
> 
> Would be good to have such a function as part of the X.509 API.

Note that the "/"-separated form is not the output format of the issuer or
subject names in X509_NAME_oneline(3), x509(1), ...  So a public API for
that format may not be a good idea.  Perhaps there could be parsers for
the "rfc2253", "rfc2254" and "oneline" formats (or a single parser with
flags to select the format).

-- 
Viktor.

Dynamic CRL not working when signed by intermediate CA

2021-07-23 Thread Venkata Mallikarjunarao Kosuri via openssl-users 
Hi,

Dynamic CRL not working when signed by intermediate CA when ca-file (Trusted CA 
certs bundle) includes only the intermediate CA that signed the CRL.

Causing to this the handshake is failing, is there a way to avoid in OpenSSL 
1.0.2s-fips  28 May 2019?

Br, Malli

Re: Parsing subject/issuer strings in X.509

2021-07-23 Thread David von Oheimb 
What I use is

    X509_NAME *nname = parse_name(string, MBSTRING_ASC, 1, desc);

which is not an official API function but defined in apps/lib/apps.c:

/*
 * name is expected to be in the format /type0=value0/type1=value1/type2=...
 * where + can be used instead of / to form multi-valued RDNs if canmulti
 * and characters may be escaped by \
 */
X509_NAME *parse_name(const char *cp, int chtype, int canmulti, const
char *desc)

Would be good to have such a function as part of the X.509 API.

    David

On 23.07.21 07:49, Viktor Dukhovni wrote:
>> On 22 Jul 2021, at 9:29 pm, Philip Prindeville 
>>  wrote:
>>
>> I'm wondering what the function is that takes a string and returns X509_NAME 
>> with the attribute/value pairs of the parsed DN.
> There is no such function in general, since the are many potential
> string forms of X.509 names, not all of which are unambiguously
> machine readable.
>
> There are various functions for augmenting a partially built name
> with an attribute-value pair, but the parsing of a string a list
> of such attribute-value pairs is up to you. :-(
>