RE: Including attributes in the signed certificate
Hi ! Actually, I forgot to say that I am my own CA and running it internally only. In fact, I'd like to have the Subject/DN of the user X.509v3 certificate to be as close as possible to the LDAP DN of that user in my LDAP directory, and I'd like to add a few attributes to the user certificate aside the subject to allow the SSL/TLS aware applications to rely on that attributes for different things (mainly access controls)... As long as I'm the CA that receives the CSR and that signs it to deliver the certificate and even the programmer of those applications, I can roughly say that I can rely on these attributes and their respective values... If can't manage to do that, the workaround I' beginning to look at is to make the certificate Subject/DN a search key for those desired attributes/fields in the LDAP directory (I'm the directory manager too), even though it would require my applications to be both SSL/TLS and LDAP aware, which is not that a big deal... and which shouldn't cost me too much overhead while determining the access controls... Thanks again, Hubert Quarantel-Colombani, UNIX is user friendly. It's just selective about who its friends are. -Message d'origine- De : Quarantel, Hubert Envoyé : mercredi 6 septembre 2006 14:46 À : 'openssl-users@openssl.org' Objet : Including attributes in the signed certificate Hi ! I'm trying to include attributes/fields in a signed certificate. I've first issued a CSR with some extra attributes in it, here's what the CSR looks like with openssl req -in test.csr -text -noout : Certificate Request: Data: Version: 0 (0x0) Subject: O=TEST, OU=Support, CN=TEST/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: (snip) P: (snip) Q: (snip) G: (snip) Attributes: countryName :FR localityName :Paris uidNumber:4321 gidNumber:1234 uid :test Signature Algorithm: dsaWithSHA1 (snip) I'm very happy so far, as I the attributes/fields countryName, uid, uidNumber, ... I added in the [req_attribute] of the default openssl.cnf file, along with their respective OIDs in the [new_oids] section. But, when I sign the certificate request with that same openssl.cnf file, either with openssl ca or with openssl x509, the produced certificate does not include those attributes, as shown by openssl x509 -text -in test.crt -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=TEST CA, O=TEST/[EMAIL PROTECTED] Validity Not Before: Sep 6 11:09:06 2006 GMT Not After : Sep 7 11:09:06 2006 GMT Subject: O=TEST, OU=Support, CN=TEST/[EMAIL PROTECTED]Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: (snip) P: (snip) Q: (snip) G: (snip) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 19:88:DF:ED:6C:82:86:BA:91:81:AA:1A:A4:55:A7:5C:20:7B:5A:62 X509v3 Authority Key Identifier: keyid:CF:A8:E1:B1:BD:5C:B2:55:9B:20:F5:44:8E:36:D2:F4:E6:E9:10:FF Signature Algorithm: sha1WithRSAEncryption (snip) Would anyone help me ? or at least tell me where I got wrong ? Thanks for any kind of help, Hubert, UNIX is user friendly. It's just selective about who its friends are. Ce message et les pièces jointes sont confidentiels et établis à l'attention exclusive de ses destinataires. Toute utilisation ou diffusion, même partielle, non autorisée est interdite. Tout message électronique est susceptible d'altération. Brink's décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas le destinataire de ce message, merci de le détruire et d'avertir l'expéditeur. This message and any attachments are confidential and intended solely for the addressees. Any unauthorized use or disclosure, either whole or partial is prohibited. E-mails are susceptible to alteration. Brink's shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of
RE: Including attributes in the signed certificate
There is one more problem with attributes and official CA's. If you are your own CA, it makes a big difference (less trust around in the world - but you can enforce any attribute verification policy that you choose yo). Atttributes are added at the time of certification (good - so they can't be maliciously changed/removed/added later), but currently CA's do NOT verify them (bad - crap placed in by the identity owner is still crap). Thus, you can prove that you are Hubert - and add a whole bunch of stuff about you (the tallest man in Germany, undercover assistant of UN Secretary General, whatever). Resulting cert will contain a mix of true statements with something uncertain. A solution can be Attribute Certificate. I dont know if it makes sense to you - running your own CA you're free to do what's right regardless of what VeriSign is doing. Sorry I didn't answer your question - somebody more knowledgeable about OpenSSL will explain why it exhibits what I consider a bug (whatever is placed in the CSR must be signed IMHO). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Quarantel, Hubert Sent: Wednesday, September 06, 2006 08:46 To: openssl-users@openssl.org Subject: Including attributes in the signed certificate Hi ! I'm trying to include attributes/fields in a signed certificate. I've first issued a CSR with some extra attributes in it, here's what the CSR looks like with openssl req -in test.csr -text -noout : Certificate Request: Data: Version: 0 (0x0) Subject: O=TEST, OU=Support, CN=TEST/[EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: (snip) P: (snip) Q: (snip) G: (snip) Attributes: countryName :FR localityName :Paris uidNumber:4321 gidNumber:1234 uid :test Signature Algorithm: dsaWithSHA1 (snip) I'm very happy so far, as I the attributes/fields countryName, uid, uidNumber, ... I added in the [req_attribute] of the default openssl.cnf file, along with their respective OIDs in the [new_oids] section. But, when I sign the certificate request with that same openssl.cnf file, either with openssl ca or with openssl x509, the produced certificate does not include those attributes, as shown by openssl x509 -text -in test.crt -noout Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=TEST CA, O=TEST/[EMAIL PROTECTED] Validity Not Before: Sep 6 11:09:06 2006 GMT Not After : Sep 7 11:09:06 2006 GMT Subject: O=TEST, OU=Support, CN=TEST/[EMAIL PROTECTED]Subject Public Key Info: Public Key Algorithm: dsaEncryption DSA Public Key: pub: (snip) P: (snip) Q: (snip) G: (snip) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 19:88:DF:ED:6C:82:86:BA:91:81:AA:1A:A4:55:A7:5C:20:7B:5A:62 X509v3 Authority Key Identifier: keyid:CF:A8:E1:B1:BD:5C:B2:55:9B:20:F5:44:8E:36:D2:F4:E6:E9:10:FF Signature Algorithm: sha1WithRSAEncryption (snip) Would anyone help me ? or at least tell me where I got wrong ? Thanks for any kind of help, Hubert, UNIX is user friendly. It's just selective about who its friends are. Ce message et les pièces jointes sont confidentiels et établis à l'attention exclusive de ses destinataires. Toute utilisation ou diffusion, même partielle, non autorisée est interdite. Tout message électronique est susceptible d'altération. Brink's décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas le destinataire de ce message, merci de le détruire et d'avertir l'expéditeur. This message and any attachments are confidential and intended solely for the addressees. Any unauthorized use or disclosure, either whole or partial is prohibited. E-mails are susceptible to alteration. Brink's shall not be liable for the message if altered, changed or falsified. If you are not
