Hello:
I've been messing with openssl ca, and I think I may have found a (very
minor)bug.
$ openssl version
OpenSSL 0.9.3a 29 May 1999
Given this CA cert:
$ openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=Washington, L=Seattle, O=WRQ, Inc., OU=WRQsec,
CN=CA 8/5/1999
Validity
Not Before: Aug 5 23:19:39 1999 GMT
Not After : Sep 4 23:19:39 1999 GMT
Subject: C=US, ST=Washington, L=Seattle, O=WRQ, Inc., OU=WRQsec,
CN=CA 8/5/1999
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c8:15:57:fa:cd:9f:21:74:d2:a0:e1:36:a6:7d:
61:3b:82:9a:a1:7b:9f:d5:a5:7a:d6:7f:7b:5c:f8:
0c:5d:5f:49:a7:2b:b6:2b:6b:39:fc:a3:1e:fb:5d:
59:e6:a2:d2:29:01:75:82:fc:ed:af:e0:4d:50:95:
57:47:c3:59:c4:fe:ca:d3:29:f7:70:40:cf:ac:19:
0a:c9:a9:34:15:69:29:f3:e7:d0:6b:80:9c:4b:d2:
92:29:36:44:a9:7e:d8:be:c4:0b:b5:b1:1e:76:e8:
c0:06:74:34:13:23:74:58:5c:fd:23:41:d5:a6:cb:
6a:55:b5:c0:0f:ff:23:e6:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F1:AE:63:F8:8E:8C:46:E2:3F:05:02:E0:2E:72:7D:24:BD:49:C0:BC
X509v3 Authority Key Identifier:
keyid:F1:AE:63:F8:8E:8C:46:E2:3F:05:02:E0:2E:72:7D:24:BD:49:C0:BC
DirName:/C=US/ST=Washington/L=Seattle/O=WRQ,
Inc./OU=WRQsec/CN=CA 8/5/1999
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
2b:4e:27:36:02:3e:fc:42:9e:39:57:cb:79:bc:53:d0:d3:bb:
51:7f:40:2e:9f:ba:c0:11:d8:71:9c:2a:dc:4f:1e:4d:ff:ea:
aa:f4:32:37:4f:2c:80:93:a3:45:d1:92:f0:8a:f5:9b:43:08:
85:bb:31:1b:81:8b:07:f7:a4:01:2e:1d:e2:47:65:e6:51:57:
c5:85:14:2f:50:0e:93:41:59:8c:01:a0:b6:9f:9d:f2:77:be:
3f:ed:d9:87:d5:c6:75:4b:b8:98:76:45:91:35:1e:85:d0:03:
9b:0e:63:a8:a2:1d:4c:a6:af:e6:78:09:97:41:b7:83:f5:c0:
36:3c
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIBADANBgkqhkiG9w0BAQQFADBvMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTESMBAGA1UEChMJ
V1JRLCBJbmMuMQ8wDQYDVQQLEwZXUlFzZWMxFDASBgNVBAMTC0NBIDgvNS8xOTk5
MB4XDTk5MDgwNTIzMTkzOVoXDTk5MDkwNDIzMTkzOVowbzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEjAQBgNVBAoT
CVdSUSwgSW5jLjEPMA0GA1UECxMGV1JRc2VjMRQwEgYDVQQDEwtDQSA4LzUvMTk5
OTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyBVX+s2fIXTSoOE2pn1hO4Ka
oXuf1aV61n97XPgMXV9Jpyu2K2s5/KMe+11Z5qLSKQF1gvztr+BNUJVXR8NZxP7K
0yn3cEDPrBkKyak0FWkp8+fQa4CcS9KSKTZEqX7YvsQLtbEedujABnQ0EyN0WFz9
I0HVpstqVbXAD/8j5qECAwEAAaOBzDCByTAdBgNVHQ4EFgQU8a5j+I6MRuI/BQLg
LnJ9JL1JwLwwgZkGA1UdIwSBkTCBjoAU8a5j+I6MRuI/BQLgLnJ9JL1JwLyhc6Rx
MG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdT
ZWF0dGxlMRIwEAYDVQQKEwlXUlEsIEluYy4xDzANBgNVBAsTBldSUXNlYzEUMBIG
A1UEAxMLQ0EgOC81LzE5OTmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQF
AAOBgQArTic2Aj78Qp45V8t5vFPQ07tRf0Aun7rAEdhxnCrcTx5N/+qq9DI3TyyA
k6NF0ZLwivWbQwiFuzEbgYsH96QBLh3iR2XmUVfFhRQvUA6TQVmMAaC2n53yd74/
7dmH1cZ1S7iYdkWRNR6F0AObDmOooh1Mpq/meAmXQbeD9cA2PA==
-----END CERTIFICATE-----
And this cert request:
$ openssl req -text -in jbloggscert-req.pem
Using configuration from /usr/local/ssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Washington, L=Seattle, O=Int'l Widget, OU=Tool
and Die, CN=Joeseph [EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:ba:cf:0c:7f:07:f3:0d:87:18:5f:b0:f6:2c:16:
0f:f7:aa:f8:fa:79:6a:38:f3:0e:ac:81:3f:70:5f:
65:48:b6:78:01:4f:c9:57:b4:1b:ea:ff:d8:c5:42:
c4:b1:31:f3:d8:e1:fc:6f:32:b0:5e:a8:c2:e5:e8:
1c:07:d5:a8:2f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
a7:aa:e0:23:9e:1d:00:03:ea:6e:a9:78:8a:61:90:89:5d:f0:
50:56:df:29:72:13:f3:f4:39:b4:dc:e8:54:92:40:1e:0a:51:
c8:fc:44:a4:36:14:fb:ee:b6:e8:3a:2f:90:a1:c3:96:bf:48:
41:46:2f:95:76:85:ab:cc:af:64
-----BEGIN CERTIFICATE REQUEST-----
MIIBWzCCAQUCAQAwgZ8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
MRAwDgYDVQQHEwdTZWF0dGxlMRUwEwYDVQQKEwxJbnQnbCBXaWRnZXQxFTATBgNV
BAsTDFRvb2wgYW5kIERpZTEXMBUGA1UEAxMOSm9lc2VwaCBCbG9nZ3MxIjAgBgkq
hkiG9w0BCQEWE2pibG9nZ3NAaXdpZGdldC5jb20wXDANBgkqhkiG9w0BAQEFAANL
ADBIAkEAus8MfwfzDYcYX7D2LBYP96r4+nlqOPMOrIE/cF9lSLZ4AU/JV7Qb6v/Y
xULEsTHz2OH8bzKwXqjC5egcB9WoLwIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQCn
quAjnh0AA+puqXiKYZCJXfBQVt8pchPz9Dm03OhUkkAeClHI/ESkNhT77rboOi+Q
ocOWv0hBRi+VdoWrzK9k
-----END CERTIFICATE REQUEST-----
And a policy called "organization" that looks like:
# Slightly looser policy - must be same company, may be different
division
[ organization ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = supplied
commonName = supplied
emailAddress = supplied
The CA fails to certify the request, because the Subject has a different
organizationName from the CA. That's fine, but I think in the
explanation provided, the strings for CA organization and Subject
organization are switched (bug is the last line):
<sorry for the gnarly formatting>
$ openssl ca -name aug5 -in jbloggscert-req.pem -out joebloggs-cert.pem
-verbose -policy organization
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
V 000805002110Z 01 unknown
/C=US/ST=Washington/O=WRQ, Inc./OU=WRQsec/CN=Joe [EMAIL PROTECTED]
V 000809031813Z 02 unknown
/C=US/ST=Washington/L=Seattle/O=Int'l Widget/OU=Tool and Die/CN=Joeseph
[EMAIL PROTECTED]
2 entries loaded from the database
generating indexs
message digest is md5
policy is organization
next serial number is 03
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=Washington, L=Seattle, O=Int'l Widget, OU=Tool
and Die, CN=Joeseph [EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:ba:cf:0c:7f:07:f3:0d:87:18:5f:b0:f6:2c:16:
0f:f7:aa:f8:fa:79:6a:38:f3:0e:ac:81:3f:70:5f:
65:48:b6:78:01:4f:c9:57:b4:1b:ea:ff:d8:c5:42:
c4:b1:31:f3:d8:e1:fc:6f:32:b0:5e:a8:c2:e5:e8:
1c:07:d5:a8:2f
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
a7:aa:e0:23:9e:1d:00:03:ea:6e:a9:78:8a:61:90:89:5d:f0:
50:56:df:29:72:13:f3:f4:39:b4:dc:e8:54:92:40:1e:0a:51:
c8:fc:44:a4:36:14:fb:ee:b6:e8:3a:2f:90:a1:c3:96:bf:48:
41:46:2f:95:76:85:ab:cc:af:64
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Washington'
localityName :PRINTABLE:'Seattle'
organizationName :PRINTABLE:'Int'l Widget'
organizationalUnitName:PRINTABLE:'Tool and Die'
commonName :PRINTABLE:'Joeseph Bloggs'
emailAddress :IA5STRING:'[EMAIL PROTECTED]'
The organizationName field needed to be the same in the
CA certificate (Int'l Widget) and the request (WRQ, Inc.)
$
^^^^^<--------REVERSED---------->^^^^^
Pretty minor, but probably easy to fix.
-Mike Slass
WRQ, Inc.
Seattle, WA, USA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
