Looks like there is a bug in openssl when handling the subjectAltName. Can somebody confirm? Are fixes within reach? Am I doing something wrong here?
Openssl version used for testing is the CVS version from today.
Details for bug reproduction should be below.
Bug #1: An empty X509v3 Subject Alternative Name: extention is created.
Bug #2: The email address in the request is not used.
Bernhard
$ openssl version
OpenSSL 0.9.8-dev XX xxx XXXX
CVS from today 20020620
$ openssl req -in newreq.pem -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=Aegypten Test5, L=Osnabrueck, OU=Labs, O=Intevation GmbH, C=DE
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e8:ef:56:06:d0:67:d0:9d:bb:03:98:ce:de:6b:
88:88:b1:83:76:5d:08:ba:62:eb:15:a7:e3:ac:5a:
4f:93:0d:33:8f:6a:28:3c:ee:cb:47:59:43:8a:ed:
f8:bb:99:83:91:4b:71:54:a9:e7:3a:94:63:1d:ae:
2d:93:bc:20:e4:d9:39:53:5a:53:5d:50:d5:d2:2a:
d3:c2:c0:0a:6f:e0:03:19:4e:5f:40:72:16:89:eb:
9a:42:84:98:c5:cd:a9:26:69:de:3d:4f:4d:39:fb:
14:0c:a5:bb:bd:56:f6:4a:14:e6:cb:78:b3:94:ce:
b4:96:d4:40:8d:24:9d:c3:25
Exponent: 41 (0x29)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
Signature Algorithm: sha1WithRSAEncryption
03:c7:f2:cc:71:8c:87:d9:5c:48:ee:ef:fc:cb:82:09:52:60:
40:de:be:6c:40:d4:fc:64:f0:b0:3a:ac:0f:fb:58:38:ff:db:
0d:da:68:06:af:05:cc:73:5c:db:10:b5:bb:c1:5f:9d:66:c8:
e1:28:96:4a:f5:59:4c:ed:ab:f1:b5:64:32:87:88:34:17:1f:
99:cc:ca:48:df:93:06:6d:87:39:88:13:81:ee:22:bd:1b:4a:
16:41:f0:ff:89:ae:cb:a7:da:c4:a0:77:ec:8c:e2:59:e2:ed:
91:60:24:be:f4:b3:95:bc:b8:0d:67:c6:fc:63:44:b1:de:46:
b0:86
-----BEGIN CERTIFICATE REQUEST-----
MIIB2zCCAUQCAQAwZDEXMBUGA1UEAxMOQWVneXB0ZW4gVGVzdDUxEzARBgNVBAcT
Ck9zbmFicnVlY2sxDTALBgNVBAsTBExhYnMxGDAWBgNVBAoTD0ludGV2YXRpb24g
R21iSDELMAkGA1UEBhMCREUwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAOjv
VgbQZ9CduwOYzt5riIixg3ZdCLpi6xWn46xaT5MNM49qKDzuy0dZQ4rt+LuZg5FL
cVSp5zqUYx2uLZO8IOTZOVNaU11Q1dIq08LACm/gAxlOX0ByFonrmkKEmMXNqSZp
3j1PTTn7FAylu71W9koU5st4s5TOtJbUQI0kncMlAgEpoDkwNwYJKoZIhvcNAQkO
MSowKDAmBgNVHREEHzAdgRthZWd5cHRlbnRlc3Q1QGludGV2YXRpb24uZGUwDQYJ
KoZIhvcNAQEFBQADgYEAA8fyzHGMh9lcSO7v/MuCCVJgQN6+bEDU/GTwsDqsD/tY
OP/bDdpoBq8FzHNc2xC1u8FfnWbI4SiWSvVZTO2r8bVkMoeINBcfmczKSN+TBm2H
OYgTge4ivRtKFkHw/4muy6faxKB37IziWeLtkWAkvvSzlby4DWfG/GNEsd5GsIY=
-----END CERTIFICATE REQUEST-----
grep '^subjectAltName' /spare/aegypten/openssl/ssl/openssl.cnf
subjectAltName=email:move
openssl ca -noemailDN -policy policy_anything -out newcert.pem -infiles newreq.pem
Using configuration from /spare/aegypten/openssl/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 20 17:04:17 2002 GMT
Not After : Jun 20 17:04:17 2003 GMT
Subject:
countryName = DE
localityName = Osnabrueck
organizationName = Intevation GmbH
organizationalUnitName = Labs
commonName = Aegypten Test5
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
72:7C:E9:78:AA:BB:01:A2:6F:92:7C:22:03:D1:D0:9E:74:7F:F3:F3
X509v3 Authority Key Identifier:
keyid:75:D0:0F:DB:51:35:F0:94:93:D6:53:F6:28:BF:04:CE:C9:F3:58:27
DirName:/C=de/ST=Some-State/O=Intevation
[EMAIL PROTECTED]
serial:00
X509v3 Subject Alternative Name:
<EMPTY>
Certificate is to be certified until Jun 20 17:04:17 2003 GMT (365 days)
Sign the certificate? [y/n]:n
CERTIFICATE WILL NOT BE CERTIFIED
msg12110/pgp00000.pgp
Description: PGP signature
