[OpenCA-Devel] Bug in OpenCA when dealing special OIDs

[Johnny Gonzalez]

Hello everybody,

Has someone here worked before with special OIDs in
the Certificates?

I have done some changes in OpenCA to include the
special OIDs we have to include in our generated
certificates, but after the issuance of the
certificates, the information in the OIDs appears with
some strange characters (when seen since Windows, the
OS our customers have), like those shown in these
images (the images are in another web page to avoid a
saturation of the list with unnecessary files ;-):

http://www.geocities.com/johnnygonzalezl/images/CertTest8b.PNG

http://www.geocities.com/johnnygonzalezl/images/CertTest7b.PNG

As you can see in the images, in our special OIDS
appear squares that do not form part of the
information in the OID.

Example in text:
1.3.6.1.4.1.4710.1.3.2 =  800123987


I Guess this behaviour isn't normal. 

The changes I made in my configuration files:

1. copy extension files to:
/usr/local/OpenCA/etc/openssl/extfiles
 an ls to that directory brings this:

CA_Operator.ext                  Natural.ext.template 
             VPN_ServerAuto.ext
CA_Operator.ext.template         Pertenencia.ext      
             VPN_ServerAuto.ext.template
Firma_Automatizada.ext          
Pertenencia.ext.template           VPN_Server.ext
Firma_Automatizada.ext.template 
Profesional_Titulado.ext          
VPN_Server.ext.template
Firma_Codigo.ext                
Profesional_Titulado.ext.template  Web_Server.ext
Firma_Codigo.ext.template        RA_Operator.ext      
             Web_Server.ext.template
Funcion_Publica.ext             
RA_Operator.ext.template           Web_ServerPlus.ext
Funcion_Publica.ext.template     Representacion.ext   
             Web_ServerPlus.ext.template
Natural.ext                     
Representacion.ext.template

Those are our extension files that cover our politics.

2. change the file loa.xml
it becomes like this:

<openca>
        <loa>
                <level>40</level>
                <name>Medium</name>
                <cert>
                  <ext>                  
<name>certificatePolicies</name>
                    <CP>                
<value>1.3.6.1.4.4308.10.50</value>
                    </CP>
              <section>
               <name>psec</name>
               <policy_ID_tag>
policyIdentifier</policy_ID_tag>
               <CPS>
              <URI>CPS.1
="http://www.certicamara.com/dpc";</URI>
               </CPS>
              </section>

              </ext>
              </cert>
        </loa>

        <loa>
                <level>50</level>
                <name>High</name>
                <cert>
                        <ext>
                               
<name>certificatePolicies</name>
<CP>
<value>1.3.6.1.4.4308.10.50</value>
                                </CP>
                                <section>
<name>psec</name>
<policy_ID_tag> policyIdentifier</policy_ID_tag>
                                        <CPS>
<URI>CPS.1 ="http://www.certicamara.com/dpc";</URI>
                                        </CPS>
                                </section>
                        </ext>
                </cert>
        </loa>
</openca>

Sorry for the identation.

3. Change the file roles.xml in rbac directory:
<openca>
    <access_control>
       <roles>
            <role>RA Operator</role>
            <role>Representacion</role>
            <role>Pertenencia</role>
            <role>Natural</role>
            <role>Profesional Titulado</role>
            <role>Funcion Publica</role>
            <role>Firma Codigo</role>
            <role>Firma Automatizada</role>
            <role>VPN Server</role>
            <role>VPN ServerAuto</role>
            <role>Web Server</role>
            <role>Web ServerPlus</role>
            <role>Domain Controller</role>
       </roles>
    </access_control>
</openca>


4. files in /usr/local/OpenCA/etc/openssl/openssl:


CA_Operator.conf                 
Natural.conf.template              
VPN_ServerAuto.conf
CA_Operator.conf.template         Pertenencia.conf    
               VPN_ServerAuto.conf.template
Firma_Automatizada.conf          
Pertenencia.conf.template           VPN_Server.conf
Firma_Automatizada.conf.template 
Profesional_Titulado.conf          
VPN_Server.conf.template
Firma_Codigo.conf                
Profesional_Titulado.conf.template  Web_Server.conf
Firma_Codigo.conf.template        RA_Operator.conf    
               Web_Server.conf.template
Funcion_Publica.conf             
RA_Operator.conf.template          
Web_ServerPlus.conf
Funcion_Publica.conf.template     Representacion.conf 
               Web_ServerPlus.conf.template
Natural.conf                     
Representacion.conf.template

If I perform a: 
openssl asn1parse -inform PEM -in certTest10.crt
from a linux console I get this output in the OIDs
section:


 252:d=5  hl=2 l=   3 prim: OBJECT           
:countryName
  257:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :CO
  261:d=3  hl=2 l=  34 cons: SET
  263:d=4  hl=2 l=  32 cons: SEQUENCE
  265:d=5  hl=2 l=   3 prim: OBJECT           
:2.5.4.9
  270:d=5  hl=2 l=  25 prim: T61STRING         :Av el
dorado # 69D - 35
  297:d=3  hl=2 l=  26 cons: SET
  299:d=4  hl=2 l=  24 cons: SEQUENCE
  301:d=5  hl=2 l=  10 prim: OBJECT           
:1.3.6.1.4.1.4710.1.3.1
  313:d=5  hl=2 l=  10 prim: T61STRING        
79987987
  325:d=3  hl=2 l=  27 cons: SET
  327:d=4  hl=2 l=  25 cons: SEQUENCE
  329:d=5  hl=2 l=  10 prim: OBJECT           
:1.3.6.1.4.1.4710.1.3.2
  341:d=5  hl=2 l=  11 prim: T61STRING         :      
 800987654
  354:d=3  hl=2 l=  11 cons: SET
  356:d=4  hl=2 l=   9 cons: SEQUENCE
  358:d=5  hl=2 l=   3 prim: OBJECT           
:serialNumber
  363:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :21

As you can see here, the info in the first special OID
appears ok here:

:Av el dorado # 69D - 3

in the second special OID appears without the colon
that separates the field and the value:

    79987

and the third special OID appear with some strange
spaces between the colon and the value:

:        800987654

The other special behaviour is that if I see the
request from a console using this openssl command: 
openssl req -inform PEM -in
/home/desarrollo/reqTest10.pem -text

the DN appears like this:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject:
[EMAIL PROTECTED],
CN=Johnny Gonzalez , OU=Internet, O=Ubiquando,
C=CO/direccion=Av el dorado # 69D -
35/cedula=79987987/nit=800987654
Subject Public Key Info:

Is this normal?

When I insert the request in OpenCA using "server
request" (PKCS#10) it appears this way:

1.3.6.1.4.1.4710.1.3.2=#1309383030393837363534,1.3.6.1.4.1.4710.1.3.1=#13083739393837393837,2.5.4.9=#1417417620656C20646F7261646F202320363944202D203335,C=CO,O=Ubiquando,OU=Internet,CN=Johnny
Gonzalez\
,[EMAIL PROTECTED]

Is this normal?

I guess all the required steps are done, aren't they?
What can I do to solve this problem with my OIDs?


The way I'm adding the OIDs in the openssl
configuration files is this:

[ new_oids ]

# testoid1=1.2.3.4
# testoid2=${testoid1}.5.6
# pseudonym=2.5.4.65

# --------Politicas Certicamara-------------**
direccion = 2.5.4.9
nit = 1.3.6.1.4.1.4710.1.3.2
cedula = 1.3.6.1.4.1.4710.1.3.1
# --------Politicas Certicamara-------------**


# For the CA policy
[ policy_match ]
countryName             = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

# --------Politicas Certicamara-------------**
direccion               = optional
cedula                  = optional
nit                     = optional
# --------Politicas Certicamara-------------**




# --------Politicas Certicamara-------------**
direccion                       = UTF8:Direccion
cedula                          = UTF8:Cedula
nit                             = UTF8:Nit
# --------Politicas Certicamara-------------**
#Here I tryed without the UTF8: and the result is the
same.

SET-ex3                         = SET extension number
3


In this last part you can see:
direccion                       = UTF8:Direccion

I tried first without the UTF8:, like this:

direccion                       = Direccion


Is this ok?
I'm testing now with openssl-0.9.8, but the results
are the same.


Thanks a lot for any help,

Johnny

PS: Sorry about the size of the message. The following
URL has an example of my openssl config for the role:
Natural. Change the extension to .conf :-)


http://www.geocities.com/johnnygonzalezl/misc/Natural.txt



                
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel