Re: 1.OU or OU.1 ?
Just to close the loop: I decided better documentation is the only answer for now: https://github.com/openssl/openssl/pull/11431 I'll copy the info below into a new issue. On 3/21/20, 9:47 AM, "Salz, Rich via openssl-users" wrote: Argh. Thanks for the detailed explanation. It seems to me that if I add suffixes ".nnn" support to auto_info() than we can move xxx.field to deprecated at some point? On 3/20/20, 10:45 PM, "Richard Levitte" wrote: The correct answer is, it depends. This is an unfortunate evolutionary artefact, and is governed by very different pieces of code. The config.pod example revolves around subject names and the config for 'openssl req'. The code that uses this is the function auto_info(), found in apps/req.c. The x509v3_config.pod example revolves around X.509 v3 extensions, and the config for those is used by diverse functions in crypto/x509v3/ (1.1.1) or crypto/x509/ (masterand upcoming 3.0), and ultimately, the key name comparison is done by name_cmp(), found in v3_utl.c. So both manuals are correct. Unfortunately... Cheers, Richard On Fri, 20 Mar 2020 22:12:08 +0100, Salz, Rich via openssl-users wrote: > > > The doc/man5/config.pod file says to use > > 1.OU = “My first OU” > > 2.OU = “My second OU” > > But doc/man5/x509v3_config.pod says to append the numeric, as in > > email.1 = steve@here > > email.2 = steve@there > > I believe the second form is correct. Can anyone confirm? > > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Re: 1.OU or OU.1 ?
Argh. Thanks for the detailed explanation. It seems to me that if I add suffixes ".nnn" support to auto_info() than we can move xxx.field to deprecated at some point? On 3/20/20, 10:45 PM, "Richard Levitte" wrote: The correct answer is, it depends. This is an unfortunate evolutionary artefact, and is governed by very different pieces of code. The config.pod example revolves around subject names and the config for 'openssl req'. The code that uses this is the function auto_info(), found in apps/req.c. The x509v3_config.pod example revolves around X.509 v3 extensions, and the config for those is used by diverse functions in crypto/x509v3/ (1.1.1) or crypto/x509/ (masterand upcoming 3.0), and ultimately, the key name comparison is done by name_cmp(), found in v3_utl.c. So both manuals are correct. Unfortunately... Cheers, Richard On Fri, 20 Mar 2020 22:12:08 +0100, Salz, Rich via openssl-users wrote: > > > The doc/man5/config.pod file says to use > > 1.OU = “My first OU” > > 2.OU = “My second OU” > > But doc/man5/x509v3_config.pod says to append the numeric, as in > > email.1 = steve@here > > email.2 = steve@there > > I believe the second form is correct. Can anyone confirm? > > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Re: 1.OU or OU.1 ?
The correct answer is, it depends. This is an unfortunate evolutionary artefact, and is governed by very different pieces of code. The config.pod example revolves around subject names and the config for 'openssl req'. The code that uses this is the function auto_info(), found in apps/req.c. The x509v3_config.pod example revolves around X.509 v3 extensions, and the config for those is used by diverse functions in crypto/x509v3/ (1.1.1) or crypto/x509/ (masterand upcoming 3.0), and ultimately, the key name comparison is done by name_cmp(), found in v3_utl.c. So both manuals are correct. Unfortunately... Cheers, Richard On Fri, 20 Mar 2020 22:12:08 +0100, Salz, Rich via openssl-users wrote: > > > The doc/man5/config.pod file says to use > > 1.OU = “My first OU” > > 2.OU = “My second OU” > > But doc/man5/x509v3_config.pod says to append the numeric, as in > > email.1 = steve@here > > email.2 = steve@there > > I believe the second form is correct. Can anyone confirm? > > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Re: 1.OU or OU.1 ?
> On 20 Mar 2020, at 22:12, Salz, Rich via openssl-users > wrote: > > The doc/man5/config.pod file says to use > 1.OU = “My first OU” > 2.OU = “My second OU” > > But doc/man5/x509v3_config.pod says to append the numeric, as in > email.1 = steve@here > email.2 = steve@there > > I believe the second form is correct. Can anyone confirm? AFAIK: Either simply like (e.g. in an extension file): subjectAltName=email:foo@x,email:bar@x or more listed like your second form: [ v3_req ] subjectAltName = @extrabits [ extrabits ] email.1=foo email.2=foo or straight (ordered) directly: openssl req -x509 -subj /CN=foo/CN=bar -keyout /dev/null -nodes| openssl x509 -noout -subject Dw.
1.OU or OU.1 ?
The doc/man5/config.pod file says to use 1.OU = “My first OU” 2.OU = “My second OU” But doc/man5/x509v3_config.pod says to append the numeric, as in email.1 = steve@here email.2 = steve@there I believe the second form is correct. Can anyone confirm?