Re: Problem to encode a ASN.1 field in SAN of a CSR

David CARELLA Tue, 01 Mar 2011 09:07:04 -0800

Thank you.

Note: the content on the help page is wrong. The correct content would be:
-------------
 [subject_alt_section]
 URI=ldap://somehost.com/CN=foo,OU=bar
-------------


Not:
-------------
 [subject_alt_section]
 subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar
-------------

Best regards,
David


On 03/01/2011 02:55 PM, Dr. Stephen Henson wrote:

On Tue, Mar 01, 2011, David CARELLA wrote:

File test-req.cnf:
[ req ]
default_md              = sha256
req_extensions          = ext_server
[ ext_server ]
keyUsage                = critical, digitalSignature, keyEncipherment
extendedKeyUsage        = serverAuth
#- MS GUID (OID: 1.3.6.1.4.1.311.25.1)
subjectAltName          = 
otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301


The command with error:
$ openssl req -new -config test-req.cnf -sha256 -subj
"/C=FR/O=FOO/CN=foo.com" -key foo.com.key -out foo.com.csr
Error Loading request extension section ext_server
3077565144:error:220A4093:X509 V3
routines:A2I_GENERAL_NAME:othername error:v3_alt.c:494:
3077565144:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
extension:v3_conf.c:93:name=subjectAltName, 
value=otherName:1.3.6.1.4.1.311.25.1;FORMAT:HEX,OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301


With this other test:
subjectAltName = 
otherName:1.3.6.1.4.1.311.25.1;OCTETSTRING:3F2504E04F8911D39A0C0305E82C3301
the command work, and generate a string with all the 32 characters.
But MS GUID must contain the 16 octets: e.g. 3F, 25, 04, etc.

I had tested a lot of cases, but the first syntax seems to be
conform to OpenSSL. My references for my test:
http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_
http://www.openssl.org/docs/crypto/ASN1_generate_nconf.html


See:

http://www.openssl.org/docs/apps/x509v3_config.html#NOTES

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


--
David CARELLA
Ingénieur Expert PKI, Chef de projet Sécurité
LINAGORA - LGS - Pôle Sécurité
Courriel : dcare...@linagora.com
Tél. : +33 (0)1 46 96 63 63, poste 550

Groupe LINAGORA - www.linagora.com
LinPKI, offres sécurité - www.linpki.org
EJBCA-fr, PKI open source - www.ejbca-fr.org

smime.p7s
Description: S/MIME Cryptographic Signature

Re: Problem to encode a ASN.1 field in SAN of a CSR

Reply via email to