On 08/06/2010 01:18 PM, Dr. Stephen Henson wrote:
> On Fri, Aug 06, 2010, Bram Cymet wrote:
>
>
>> On 08/06/2010 08:49 AM, Dr. Stephen Henson wrote:
>>
>>> On Wed, Aug 04, 2010, Bram Cymet wrote:
>>>
>>>
>>>
>>>> HI,
>>>>
>>>> Give a configuration like the following:
>>>>
>>>> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>>>>
>>>>
>>>> # Copy subject details
>>>>
>>>> issuerAltName=issuer:copy
>>>>
>>>> [princ_name]
>>>> realm = EXP:0, GeneralString:${ENV::REALM}
>>>> principal_name = EXP:1, SEQUENCE:principal_seq
>>>>
>>>> [principal_seq]
>>>> name_type = EXP:0, INTEGER:1
>>>> name_string = EXP:1, SEQUENCE:principals
>>>>
>>>> [principals]
>>>> princ1 = GeneralString:${ENV::CLIENT}
>>>>
>>>>
>>>> Can someone give me an idea of how openssl would encode this, or at
>>>> least point me at the code that would encode this so I can figure it out.
>>>>
>>>> I am trying to figure out the asn1 structures that would be created.
>>>>
>>>>
>>>>
>>> Well the ${ENV::xxx} stuff is environment variable expansion.
>>>
>>> If you want to see what structure is created your easiest option is to
>>> create
>>> a tets certificate using that configuration and check the subjectAltName
>>> extension using asn1parse. There is also an option to asn1parse that uses
>>> the
>>> mini-ASN1 compiler with similar syntax.
>>>
>>> It's not too hard to figure out from the docs, for example:
>>>
>>> subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
>>>
>>> Is subjectAltName extension, using otherName option and that OID, the value
>>> is
>>> a SEQUENCE defined by the section "princ_name":
>>>
>>> [princ_name]
>>> realm = EXP:0, GeneralString:${ENV::REALM}
>>> principal_name = EXP:1, SEQUENCE:principal_seq
>>>
>>> From above that SEQUENCE consists of an explicit tag 0 GeneralString with
>>> REALM environment variable value and another explicit tage 1 SEQUENCE
>>> described by the section principal_seq, etc etc.
>>>
>>> Steve.
>>> --
>>> Dr Stephen N. Henson. OpenSSL project core developer.
>>> Commercial tech support now available see: http://www.openssl.org
>>> ______________________________________________________________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majord...@openssl.org
>>>
>>>
>> Thanks,
>>
>> The only problem is (and I have sent a separate email to the list about
>> this. Is whenever I try to create a cert I get
>>
>> "Error Loading extension section <section>"
>>
>>
>> Is there any way I could get a more specific error message. Maybe
>> recompile with some debug option?
>>
>>
> That is the complete error message? What section does it complain about, the
> whole extension section or some subsection?
>
> Can you post the complete configuration file that produces this?
>
> What version of OpenSSL are you using?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
It complains about the client_cert section.
Attached is the conf file.
I am using openssl 1.0.0.
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
attributes = req_attributes
promt = no
output_password = .
[ req_distinguished_name ]
O = cbn
OU = jrz
CN = bcymet
[ req_attributes ]
challengePassword = .
[ kdc_cert ]
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.5
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# Copy subject details
issuerAltName=issuer:copy
# Add id-pkinit-san (pkinit subjectAlternativeName)
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
[kdc_princ_name]
realm = EXP:0, GeneralString:TEST.CBN
principal_name = EXP:1, SEQUENCE:kdc_principal_seq
[kdc_principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:kdc_principals
[kdc_principals]
princ1 = GeneralString:krbtgt
princ2 = GeneralString:TEST.CBN
[client_cert]
# These extensions are added when 'ca' signs a request.
basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = 1.3.6.1.5.2.3.4
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# Import the email address.
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
# Copy subject details
issuerAltName=issuer:copy
[princ_name]
realm = EXP:0, GeneralString:TEST.CBN
principal_name = EXP:1, SEQUENCE:principal_seq
[principal_seq]
name_type = EXP:0, INTEGER:1
name_string = EXP:1, SEQUENCE:principals
[principals]
princ1 = GeneralString:bcymet
