On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote:
> On Wed, Aug 04, 2010, Bram Cymet wrote:
>
>
>> HI,
>>
>> Give a configuration like the following:
>>
>> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>>
>>
>> # Copy subject details
>>
>> issuerAltName=issuer:copy
>>
>> [princ_name]
>> realm = EXP:0, GeneralString:${ENV::REALM}
>> principal_name = EXP:1, SEQUENCE:principal_seq
>>
>> [principal_seq]
>> name_type = EXP:0, INTEGER:1
>> name_string = EXP:1, SEQUENCE:principals
>>
>> [principals]
>> princ1 = GeneralString:${ENV::CLIENT}
>>
>>
>> Can someone give me an idea of how openssl would encode this, or at
>> least point me at the code that would encode this so I can figure it out.
>>
>> I am trying to figure out the asn1 structures that would be created.
>>
>>
> Well the ${ENV::xxx} stuff is environment variable expansion.
>
> If you want to see what structure is created your easiest option is to create
> a tets certificate using that configuration and check the subjectAltName
> extension using asn1parse. There is also an option to asn1parse that uses the
> mini-ASN1 compiler with similar syntax.
>
> It's not too hard to figure out from the docs, for example:
>
> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>
> Is subjectAltName extension, using otherName option and that OID, the value is
> a SEQUENCE defined by the section "princ_name":
>
> [princ_name]
> realm = EXP:0, GeneralString:${ENV::REALM}
> principal_name = EXP:1, SEQUENCE:principal_seq
>
> From above that SEQUENCE consists of an explicit tag 0 GeneralString with
> REALM environment variable value and another explicit tage 1 SEQUENCE
> described by the section principal_seq, etc etc.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
Thanks,
The only problem is (and I have sent a separate email to the list about
this. Is whenever I try to create a cert I get
"Error Loading extension section <section>"
Is there any way I could get a more specific error message. Maybe
recompile with some debug option?
Bram
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
