PRIMER CONSULTA
PARA ACLARAR CONCEPTOS, PEDIR DISCULPAS - SI CORRESPONDE - EXPONER EL PROYECTO Y COMENZAR LA CONFECCION DEL MISMO.- .),- HEMOS SIDO ATACADOS DE FASCISTAS, NAZIS Y DICTADORES, NINGUNO DE LOS QUE NOS ATACARON SABEN QUE EL "FACCIO" Y EL NACIONALSOCIOCLISMO FUERON DOCTRINAS POLITICAS DEL CONDE DANUNZIO Y DE HEIDELBERG, EN CAMBIO DEBIENRON HABERNOS TIOLDADOS DE MUSOLINISTAS O HITLERIANOS QUE FUERON LOS QUE DISTORCIONARON ESAS TEORIAS POLITICAS.- 2).- SE NOS HA PEDIDO LA IDENTIFICACION PERSONAL ANTE LA ACUSACION DE COBARDES Y POR OTRO LADO SE NOS HA A CUSADO DE PERSEGUIR PROYECTOS PERSONALES; NI LO UNO NI LO OTRO, NUESTRA EDAD ESTA MAS HAYA DE CUALQUIER TIPO DE ESPECULACION POLITICA PERSONAL, NUESTRA PREOCUPACION SON EL PAIS, NUESTROS HIJOS Y NIETROS, LOS NOMBRES NO INTERESAN POPRQUE SERAN UDS. QUIENES DECIDIRAN EL FUTURO DEL PAIS.- 3).- NO HEMOS RECIBIDO DE 750.000 MAIL ENVIADOS NINGUNO QUE DESVIRTUARA NUESTRAS APRECIACIONES RESPECTO AL PROYECTO DE PAIS DE JULIO ARGENTINO ROCA, COMO ASIMISMO NINGUNO NOS DIJO SI IRIGOYEN, JUSTO, PERON, ILIA, FRONDIZI O ALFONSIN TUBIERON UN PROYECTO DE PAIS.- EN CONSECUENCIA BASTA DE ESPECULACIONES PERSONALES FALSAS Y "ARGENTINOS A LAS COSAS".- PROCEDIMIENTO SE ENVIARAN A TRAVES DE VARIOS MAIL UNA SERIE DE PREGUNTAS SOBRE TODOS LOS ESTAMENTOS DE LA VIDA DEL PAIS EN LOS QUE VOLUNTARIAMENTE SE PUED EOPINAR CON SOLO PONER "SI" CON LO QUE SE ESTA DE ACUERDO.- ESOS MAIL SERAN GUARDADOS EN ARCHIVOS QUE ESTARAN A DISPOSICION DE QUIEN LOS REQUIERA CADA SESENTA DIAS AL IGUAL QUE LA MARCHA DE LAS OPINIONES.- LOS MAIL DEBE DIRIGIRSE SOLAMENTE A ESTAS DIRECCIONES (APRENTADO LA CONFIGURACION CONTESTAR) POR RAZONES DE PROCESAMIENTO A [EMAIL PROTECTED] BAJAS A [EMAIL PROTECTED] SOLO DEBE HACERSE UNA SOLA REMISION DE MAIL.- SI EN EL TRANCURSO DE DIEZ DIAS NO OBTIENE LA CONFIRMACION DE LA RECEPCION, VOLVER E REMTIRLO A OTRO DOMICILIO DE LOS TRES DADOS.- CUALQUIER CONSULTA, DUDA O INQUIETUD SOLO REMITIRLA A [EMAIL PROTECTED] o PRIMERA CONSULTA SISTEMA POLITICO DESEA MANTENER EL SISTEMA PRESIDENCIALISTA ACTUAL Si. DESEA SE IMPLEMENTE SISTEMA PARLAMENTARIO COMO ITALIA, ALEMANIA O FRANCIA.. o CAMARAS SISTEMA UNICAMERAL.Si SISTEMA BICAMERAL... MANDATOS MANDATO POR CUATRO AOS DIPUTADOS Y SEIS AOS SENADORES MANDOTI POR CUATRO AOS PARA TODOSSi...- RENOVACION DE CAMARAS RENOVACION PARCIAL DIPUTADOS CADA DOS AOS.. RENOVACION TOTAL CADA CUATRO AOS...Si.. SENADORES RENOVACION POR TERCIOS...Si. RENOVACION TOTAL ... oo SUBSIDIOS AUTORIZACION A LOS LEGISLADORES A OTORGAR SUBSIDIOS... PROHIBICION A LOS LEGISLADORES A OTORGAR SUBSIDIOS.Si.. o REMUNERACION DIETA FIJADA POR LAS CAMARAS. DIETA FIJADA POR LEY...Si. RECONOCIMIENTO VIATICOS Y MOVILIDAD... NO RECONOCIMIENTO...Si. ooo VOTO VOTO OBLIGATORIO VOTO VOLUNTARIOSi.. LISTA SABANA LISTA DE LIBRE ELECCION DE CANDIDATOS...Si... HASTA LA PROXIMA __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ca.c fix [-noemailDN]
Hi, I found 2 bugs in the previous patch, so here them are the fixes against latest SNAP (20011026). Poblems: 1. the dn_subject structure was not freed at the end of the do_body function; 2. the dn_subject was not set (empty) if email_dn was set to 1. This caused the entry in the index.txt file to report null DN set. To apply the patchm simply copy it into the openssl/apps dir and do the following: $ patch ca.c.fix-20011026 This will fix the bugs listed. -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 --- ca.cThu Oct 25 11:00:26 2001 +++ ca.c.newSat Oct 27 18:51:09 2001 @@ -238,7 +238,7 @@ int verbose, X509_REQ *req, char *ext_sect, CONF *conf, unsigned long certopt, unsigned long nameopt, int default_op, int ext_copy); -static X509_NAME *do_subject(char *subject, int email_dn); +static X509_NAME *do_subject(char *subject); static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval); static int get_certificate_status(const char *ser_status, TXT_DB *db); static int do_updatedb(TXT_DB *db); @@ -1859,7 +1859,7 @@ if (subj) { - X509_NAME *n = do_subject(subj, email_dn); + X509_NAME *n = do_subject(subj); if (!n) { @@ -2071,6 +2071,11 @@ } } } + else + { + dn_subject=X509_NAME_dup(subject); + if(dn_subject == NULL) goto err; + } row[DB_name]=X509_NAME_oneline(dn_subject,NULL,0); row[DB_serial]=BN_bn2hex(serial); @@ -2325,6 +2330,8 @@ if (CAname != NULL) X509_NAME_free(CAname); + if (dn_subject != NULL) + X509_NAME_free(dn_subject); if (subject != NULL) X509_NAME_free(subject); if (tmptm != NULL) @@ -2992,7 +2999,7 @@ return ret; } -static X509_NAME *do_subject(char *subject, int email_dn) +static X509_NAME *do_subject(char *subject) { X509_NAME *n = NULL; @@ -3040,9 +3047,6 @@ BIO_printf(bio_err, No value provided for Subject Attribute %s, skipped\n, ne_name); continue; } - - if ((nid == NID_pkcs9_emailAddress) (email_dn == 0)) - continue; if (!X509_NAME_add_entry_by_NID(n, nid, MBSTRING_ASC, (unsigned char*)ne_value, -1,-1,0)) { S/MIME Cryptographic Signature
Re: ca.c fix [-noemailDN]
Massimiliano Pala wrote: Hi, I found 2 bugs in the previous patch, so here them are the fixes against latest SNAP (20011026). Poblems: 1. the dn_subject structure was not freed at the end of the do_body function; 2. the dn_subject was not set (empty) if email_dn was set to 1. This caused the entry in the index.txt file to report null DN set. To apply the patchm simply copy it into the openssl/apps dir and do the following: $ patch ca.c.fix-20011026 This will fix the bugs listed. Thanks, I noticed these when I was attempting a different patch. I think the fix I've done is functionally equivalent to your patch, except it doesn't delete the email_dn option from do_subject() which I'll commit separately. Also I've deleted emailAddress from the DN in a different way: dup the name then delete and emailAddress entries, this should retain the X509_NAME structure in the event of multi values AVAs being used. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL and Patches for CAs
Hi all, I am ri-posting this message as I have received no replies to it. If no one is interested in the proposals then simply ignore this message. ----- [ openssl ca command improve ] Some work could be initially done by introducing another switch (and conf keyword) to enable/disable the usage of the index.txt backend during certificate issuing -- this would enable using ca command with unsupported certificate profiles (such as duplicate DNs). Then, with patience, it should be a good thing starting a rewriting of the backend db support ... and then, only then, we could start adding new RFCs supported certificate profiles (empty DNs, etc... )... This is a quite big work to be done. I am not sure but I think it can be done without backward compatibility issues rising... [ libca development ] Another idea worth exploring could be the writing of a libca where ca functions are held as most of them are getting quite big and important and having in one large ca.c should be avoided. I am not sure this is the scope of the openssl project but as this lib will be strictly tied with openssl library itself it could be useful having it together with the package. -- C'you, Massimiliano Pala --o- Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.openca.orgTel.: +39 (0)59 270 094 http://openca.sourceforge.netMobile: +39 (0)347 7222 365 --- ca.pod Mon Oct 22 19:20:50 2001 +++ ca.pod.new Mon Oct 22 19:20:25 2001 @@ -34,6 +34,7 @@ [B-spkac file] [B-ss_cert file] [B-preserveDN] +[B-noemailDN] [B-batch] [B-msie_hack] [B-extensions section] @@ -157,6 +158,16 @@ older IE enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll. +=item B-noemailDN + +The DN of a certificate can contain the EMAIL field if present in the +request DN, however it is good policy just having the e-mail set into +the altName extension of the certificate. When this option is set the +EMAIL field is removed from the certificate' subject and set only in +the, eventually present, extensions. The Bemail_in_dn keyword can be +used in the configuration file to enable this behaviour. + +=item B-batch =item B-batch this sets the batch mode. In this mode no questions will be asked @@ -437,6 +448,7 @@ default_md = md5 # md to use policy = policy_any# default policy + email_in_dn= no# Don't add the email into cert DN nameopt = default_ca# Subject name display option certopt = default_ca# Certificate display option @@ -518,8 +530,11 @@ BCA.pl help a little but not very much. Any fields in a request that are not present in a policy are silently -deleted. This does not happen if the B-preserveDN option is used. -The behaviour should be more friendly and configurable. +deleted. This does not happen if the B-preserveDN option is used. To +enforce the absence of the EMAIL field within the DN, as suggested by +RFCs, regardless the contents of the request' subject the B-noemailDN +option can be used. The behaviour should be more friendly and +configurable. Cancelling some commands by refusing to certify a certificate can create an empty file. S/MIME Cryptographic Signature