Re: [OpenCA-Devel] Probs with multivalued subject - issue found - disc. on way to solve pls

Fri, 04 Jun 2004 03:00:20 -0700 

Hi Michael,

Michael Bell wrote: 
Oliver Welter wrote:

Hi all,

I found the problem why multiple email-addres in subject_alt_name dissappear...

It is a problem with openssl:
To create a Subject_alt_name with multiple eMail Addresses there are two possibilities to write the extension file:

---snipp---
subjectAltName=email:[EMAIL PROTECTED],email:[EMAIL PROTECTED]
---snapp---

OR

---snipp---
[EMAIL PROTECTED]

[alt_section]

[EMAIL PROTECTED]
[EMAIL PROTECTED]
---snapp---


OpenCA currently uses the second version, the Subject_alt_name is passed from to the CA as
SUBJECT_ALT_NAME = email:[EMAIL PROTECTED],email:[EMAIL PROTECTED]

but is split up into its parts while genereting the extension.

I see 3 possible aproaches to solve the problem:

a) Switch to the first notation
b) Modify the passing from RA to reflect the correct naming, e.g.
SUBJECT_ALT_NAME = email.1:[EMAIL PROTECTED],email.2:[EMAIL PROTECTED]
c) Rewrite the extfile creation util to add the index-numbers

I think there is a reason why you havent taken a) in the past, b) will look ugly and c) is the method IMHO


I would prefer c) too. a) was not used because we store this stuff in a single line in our own header and this header line is compatible to OpenSSL's one line style. I would prefer c) because b) would break perhaps other scripts.

Michael

Ok I tried somethings...
To keep it easy - openssl seems to accept everything look like subjectname.number=value:

[ subject_alt_name ]
email.0= [EMAIL PROTECTED]
IP.1 = 127.0.0.1
email.2= [EMAIL PROTECTED]
otherName.3=.....

So the "patch" for solution c) is just to put a counter-var to the "crypto_get_subject_alt_names" routine.

I tried some samples on the commandline with my openssl version and there is no piece of doc that I can find which conflicts with the approach.

Any clues ? If not I will test this a little bit and send it to cvs...

Oliver

--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to