Hi, It's been some time since I wrote last time on the mailing lists (:-D), anyway I have some patches for the ca.c command. This time them should be complete (the ca.pod patch is present also).
To patch simply copy the ca.patch in the apps/ dir and the ca.pod.patch
in the docs/apps and do:
$ cd apps
$ patch <ca.patch
$ cd ../doc/apps
$ patch <ca.pod.patch
[just to be complete :-D ]
Please let me know your opinion.
P.S.: Actually I get a core dump on the SNAP (20011013) independently from
my patch (so I use it together with an old SNAP that works - 20010826) when
using many commands as req, ca, etc...
Now it comes the real stuff.
DESCRIPTION
===========
This patch adds the possibility to not include the EMAIL field in the
DN of the issued certificate when issuing a new certificate. This was
needed as the inclusion of the EMAIL is actually deprecated by RFCs.
This patch does not alter the normal behaviour of the ca command if the
flag or the config keyword is not used.
The added flag reads as follows:
-noemailDN - Don't add the EMAIL field into certificate' subject
command line samples usage:
openssl ca -spkac spkac.req -cert cacert.pem -keyfile cakey.pem \
-config conf/openssl/openssl.cnf -noemailDN -preserveDN
openssl ca -in req.pem -noemailDN -cert cacert.pem -keyfile cakey.pem \
-config conf/openssl/openssl.cnf
The added configuration key is "email_in_dn" and if set to "no" the
EMAIL field is not added to the certificate' subject (equivalent to the
usage of the -noemailDN command line switch). The command line option
overrides the configuration file's value.
sample configuration keyword usage:
...
oid_file = $dir/private/.oid
x509_extensions = user_cert # The extentions to add to the cert
email_in_dn = no # Don't add the email into the cert DN
...
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
--- ca.c Tue Oct 16 00:46:06 2001
+++ ca.new Tue Oct 16 00:45:41 2001
@@ -126,6 +126,7 @@
#define ENV_DEFAULT_CRL_DAYS "default_crl_days"
#define ENV_DEFAULT_CRL_HOURS "default_crl_hours"
#define ENV_DEFAULT_MD "default_md"
+#define ENV_DEFAULT_EMAIL_DN "email_in_dn"
#define ENV_PRESERVE "preserve"
#define ENV_POLICY "policy"
#define ENV_EXTENSIONS "x509_extensions"
@@ -182,6 +183,7 @@
" -spkac file - File contains DN and signed public key and challenge\n",
" -ss_cert file - File contains a self signed cert to sign\n",
" -preserveDN - Don't re-order the DN\n",
+" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
" -batch - Don't ask questions\n",
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
@@ -211,32 +213,32 @@
static int save_serial(char *serialfile, BIGNUM *serial);
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate,char *enddate,
- long days, int batch, char *ext_sect, CONF *conf,int verbose,
- unsigned long certopt, unsigned long nameopt, int default_op,
- int ext_copy);
+ BIGNUM *serial, char *subj, int email_dn, char *startdate,
+ char *enddate, long days, int batch, char *ext_sect, CONF *conf,
+ int verbose, unsigned long certopt, unsigned long nameopt,
+ int default_op, int ext_copy);
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial, char *subj, char *startdate,
- char *enddate, long days, int batch, char *ext_sect,
- CONF *conf,int verbose, unsigned long certopt,
+ TXT_DB *db, BIGNUM *serial, char *subj, int email_dn,
+ char *startdate, char *enddate, long days, int batch,
+ char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy,
ENGINE *e);
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial,char *subj, char *startdate,
- char *enddate, long days, char *ext_sect,CONF *conf,
- int verbose, unsigned long certopt, unsigned long nameopt,
- int default_op, int ext_copy);
+ TXT_DB *db, BIGNUM *serial,char *subj, int email_dn,
+ char *startdate, char *enddate, long days, char *ext_sect,
+ CONF *conf, int verbose, unsigned long certopt,
+ unsigned long nameopt, int default_op, int ext_copy);
static int fix_data(int nid, int *type);
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
- char *startdate, char *enddate, long days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, CONF *conf,
+ int email_dn, char *startdate, char *enddate, long days, int batch,
+ int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy);
-static X509_NAME *do_subject(char *subject);
+static X509_NAME *do_subject(char *subject, int email_dn);
static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
static int get_certificate_status(const char *ser_status, TXT_DB *db);
static int do_updatedb(TXT_DB *db);
@@ -268,6 +270,7 @@
int total_done=0;
int badops=0;
int ret=1;
+ int email_dn=1;
int req=0;
int verbose=0;
int gencrl=0;
@@ -294,6 +297,7 @@
char *extensions=NULL;
char *extfile=NULL;
char *subj=NULL;
+ char *tmp_email_dn=NULL;
char *crl_ext=NULL;
int rev_type = REV_NONE;
char *rev_arg = NULL;
@@ -439,6 +443,8 @@
batch=1;
else if (strcmp(*argv,"-preserveDN") == 0)
preserve=1;
+ else if (strcmp(*argv,"-noemailDN") == 0)
+ email_dn=0;
else if (strcmp(*argv,"-gencrl") == 0)
gencrl=1;
else if (strcmp(*argv,"-msie_hack") == 0)
@@ -1041,6 +1047,12 @@
lookup_fail(section,ENV_DEFAULT_MD);
goto err;
}
+ if ((email_dn == 1) && ((tmp_email_dn=NCONF_get_string(conf,
+ section,ENV_DEFAULT_EMAIL_DN)) != NULL ))
+ {
+ if(strcmp(tmp_email_dn,"no") == 0)
+ email_dn=0;
+ }
if ((dgst=EVP_get_digestbyname(md)) == NULL)
{
BIO_printf(bio_err,"%s is an unsupported message digest
type\n",md);
@@ -1159,8 +1171,8 @@
{
total++;
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate, days,extensions,conf,
- verbose, certopt, nameopt, default_op, ext_copy);
+ serial,subj,email_dn,startdate,enddate,days,extensions,
+ conf,verbose,certopt,nameopt,default_op,ext_copy);
if (j < 0) goto err;
if (j > 0)
{
@@ -1183,7 +1195,7 @@
{
total++;
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
- db,serial,subj,startdate,enddate,days,batch,
+ db,serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, e);
if (j < 0) goto err;
@@ -1203,7 +1215,7 @@
{
total++;
j=certify(&x,infile,pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate,days,batch,
+ serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
@@ -1223,7 +1235,7 @@
{
total++;
j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
- serial,subj,startdate,enddate,days,batch,
+ serial,subj,email_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
@@ -1699,8 +1711,8 @@
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- int batch, char *ext_sect, CONF *lconf, int verbose,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
{
@@ -1749,8 +1761,8 @@
else
BIO_printf(bio_err,"Signature ok\n");
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate, enddate,
- days,batch,verbose,req,ext_sect,lconf,
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn,
+ startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
certopt, nameopt, default_op, ext_copy);
err:
@@ -1761,8 +1773,8 @@
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- int batch, char *ext_sect, CONF *lconf, int verbose,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, ENGINE *e)
{
@@ -1803,9 +1815,9 @@
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
goto err;
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,days,
- batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
- ext_copy);
+
+ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
+ days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
+ ext_copy);
err:
if (rreq != NULL) X509_REQ_free(rreq);
@@ -1815,12 +1827,12 @@
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
- char *startdate, char *enddate, long days, int batch, int verbose,
- X509_REQ *req, char *ext_sect, CONF *lconf,
+ int email_dn, char *startdate, char *enddate, long days, int batch,
+ int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
{
- X509_NAME *name=NULL,*CAname=NULL,*subject=NULL;
+ X509_NAME *name=NULL,*CAname=NULL,*subject=NULL, *dn_subject=NULL;
ASN1_UTCTIME *tm,*tmptm;
ASN1_STRING *str,*str2;
ASN1_OBJECT *obj;
@@ -1847,7 +1859,7 @@
if (subj)
{
- X509_NAME *n = do_subject(subj);
+ X509_NAME *n = do_subject(subj, email_dn);
if (!n)
{
@@ -1861,6 +1873,7 @@
if (default_op)
BIO_printf(bio_err,"The Subject's Distinguished Name is as follows\n");
+
name=X509_REQ_get_subject_name(req);
for (i=0; i<X509_NAME_entry_count(name); i++)
{
@@ -1885,6 +1898,10 @@
str->type=V_ASN1_IA5STRING;
}
+ /* If no EMAIL is wanted in the subject */
+ if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn))
+ continue;
+
/* check some things */
if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
(str->type != V_ASN1_IA5STRING))
@@ -2018,14 +2035,44 @@
if (preserve)
{
X509_NAME_free(subject);
- subject=X509_NAME_dup(X509_REQ_get_subject_name(req));
+ /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */
+ subject=X509_NAME_dup(name);
if (subject == NULL) goto err;
}
if (verbose)
BIO_printf(bio_err,"The subject name appears to be ok, checking data
base for clashes\n");
- row[DB_name]=X509_NAME_oneline(subject,NULL,0);
+ /* Build the correct Subject if no e-mail is wanted in the subject */
+ /* and add it later on because of the method extensions are added (altName) */
+
+ if (!email_dn)
+ {
+ if ((dn_subject=X509_NAME_new()) == NULL)
+ {
+ BIO_printf(bio_err,"Memory allocation failure\n");
+ goto err;
+ }
+
+ for (i=0; i<X509_NAME_entry_count(subject); i++)
+ {
+ ne= X509_NAME_get_entry(subject,i);
+ obj=X509_NAME_ENTRY_get_object(ne);
+ nid=OBJ_obj2nid(obj);
+
+ str=X509_NAME_ENTRY_get_data(ne);
+
+ if (nid == NID_pkcs9_emailAddress) continue;
+
+ if (!X509_NAME_add_entry(dn_subject,ne, -1, 0))
+ {
+ BIO_printf(bio_err,"Memory allocation failure\n");
+ goto err;
+ }
+ }
+ }
+
+ row[DB_name]=X509_NAME_oneline(dn_subject,NULL,0);
row[DB_serial]=BN_bn2hex(serial);
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
{
@@ -2181,6 +2228,11 @@
goto err;
}
+ /* Set the right value for the noemailDN option */
+ if( email_dn == 0 )
+ {
+ if (!X509_set_subject_name(ret,dn_subject)) goto err;
+ }
if (!default_op)
{
@@ -2313,8 +2365,8 @@
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, char *startdate, char *enddate, long days,
- char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
+ BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ long days, char *ext_sect, CONF *lconf, int verbose, unsigned long
+certopt,
unsigned long nameopt, int default_op, int ext_copy)
{
STACK_OF(CONF_VALUE) *sk=NULL;
@@ -2405,6 +2457,11 @@
continue;
}
+ /*
+ if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
+ continue;
+ */
+
j=ASN1_PRINTABLE_type((unsigned char *)buf,-1);
if (fix_data(nid, &j) == 0)
{
@@ -2449,7 +2506,7 @@
X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp);
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,startdate,enddate,
+
+ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy);
err:
@@ -2935,7 +2992,7 @@
return ret;
}
-static X509_NAME *do_subject(char *subject)
+static X509_NAME *do_subject(char *subject, int email_dn)
{
X509_NAME *n = NULL;
@@ -2983,6 +3040,9 @@
BIO_printf(bio_err, "No value provided for Subject Attribute
%s, skipped\n", ne_name);
continue;
}
+
+ if ((nid == NID_pkcs9_emailAddress) && (email_dn == 0))
+ continue;
if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned
char*)ne_value, -1,-1,0))
{
--- ca.pod Fri Mar 16 04:02:37 2001 +++ ca.pod.new Tue Oct 16 00:54:57 2001 @@ -34,6 +34,7 @@ [B<-spkac file>] [B<-ss_cert file>] [B<-preserveDN>] +[B<-noemailDN>] [B<-batch>] [B<-msie_hack>] [B<-extensions section>] @@ -157,6 +158,15 @@ older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll. +=item B<-noemailDN> + +The DN of a certificate can contain the EMAIL field if present in the +request DN, however it is good policy just having the e-mail set into +the altName extension of the certificate. When this option is set the +EMAIL field is removed from the certificate' subject and set only in +the, eventually present, extensions. + +=item B<-batch> =item B<-batch> this sets the batch mode. In this mode no questions will be asked
smime.p7s
Description: S/MIME Cryptographic Signature
