[openssl.org #113] subjectAltName bugs (current CVS)

Thu, 27 Jun 2002 02:53:07 -0700 


This is not a bug, it's a misunderstanding on your part.

By default, request extensions aren't copied to the new certificate. 
 However, in the [ca] section, you can have the setting 
'copy_extensions' with one of the following values:

    none          Doesn't copy anything (default)
    copy          Copy extensions that aren't already present in
                  the new certificate.
    copyall       Copy all extension (this replaces existing
                  extensions with the same OID, and is NOT
                  recommended)

You probably want to have 'copy_extensions=copy'.

The other thing you've misunderstood is the meaning of 'email:move'. 
 That will move any email RDN value from the subject and put them in 
the given extension.

I'm killing this ticket.

[[EMAIL PROTECTED] - Fri Jun 21 09:55:29 2002]:

> Looks like there is a bug in openssl when handling
> the subjectAltName. Can somebody confirm? Are fixes within reach?
> Am I doing something wrong here?
> 
> Openssl version used for testing is the CVS version from today.
> Details for bug reproduction should be below.
> 
> Bug #1: An empty X509v3 Subject Alternative Name: extention is
> created.
> Bug #2: The email address in the request is not used.
> 
>       Bernhard
> 
> 
> $ openssl version
> OpenSSL 0.9.8-dev XX xxx XXXX
>       CVS from today 20020620
> 
> $ openssl req -in newreq.pem -text
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: CN=Aegypten Test5, L=Osnabrueck, OU=Labs,
> O=Intevation GmbH, C=DE
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>             RSA Public Key: (1024 bit)
>                 Modulus (1024 bit):
>                     00:e8:ef:56:06:d0:67:d0:9d:bb:03:98:ce:de:6b:
>                     88:88:b1:83:76:5d:08:ba:62:eb:15:a7:e3:ac:5a:
>                     4f:93:0d:33:8f:6a:28:3c:ee:cb:47:59:43:8a:ed:
>                     f8:bb:99:83:91:4b:71:54:a9:e7:3a:94:63:1d:ae:
>                     2d:93:bc:20:e4:d9:39:53:5a:53:5d:50:d5:d2:2a:
>                     d3:c2:c0:0a:6f:e0:03:19:4e:5f:40:72:16:89:eb:
>                     9a:42:84:98:c5:cd:a9:26:69:de:3d:4f:4d:39:fb:
>                     14:0c:a5:bb:bd:56:f6:4a:14:e6:cb:78:b3:94:ce:
>                     b4:96:d4:40:8d:24:9d:c3:25
>                 Exponent: 41 (0x29)
>         Attributes:
>         Requested Extensions:
>             X509v3 Subject Alternative Name:
>                 email:[EMAIL PROTECTED]
>     Signature Algorithm: sha1WithRSAEncryption
>         03:c7:f2:cc:71:8c:87:d9:5c:48:ee:ef:fc:cb:82:09:52:60:
>         40:de:be:6c:40:d4:fc:64:f0:b0:3a:ac:0f:fb:58:38:ff:db:
>         0d:da:68:06:af:05:cc:73:5c:db:10:b5:bb:c1:5f:9d:66:c8:
>         e1:28:96:4a:f5:59:4c:ed:ab:f1:b5:64:32:87:88:34:17:1f:
>         99:cc:ca:48:df:93:06:6d:87:39:88:13:81:ee:22:bd:1b:4a:
>         16:41:f0:ff:89:ae:cb:a7:da:c4:a0:77:ec:8c:e2:59:e2:ed:
>         91:60:24:be:f4:b3:95:bc:b8:0d:67:c6:fc:63:44:b1:de:46:
>         b0:86
> -----BEGIN CERTIFICATE REQUEST-----
> MIIB2zCCAUQCAQAwZDEXMBUGA1UEAxMOQWVneXB0ZW4gVGVzdDUxEzARBgNVBAcT
> Ck9zbmFicnVlY2sxDTALBgNVBAsTBExhYnMxGDAWBgNVBAoTD0ludGV2YXRpb24g
> R21iSDELMAkGA1UEBhMCREUwgZ0wDQYJKoZIhvcNAQEBBQADgYsAMIGHAoGBAOjv
> VgbQZ9CduwOYzt5riIixg3ZdCLpi6xWn46xaT5MNM49qKDzuy0dZQ4rt+LuZg5FL
> cVSp5zqUYx2uLZO8IOTZOVNaU11Q1dIq08LACm/gAxlOX0ByFonrmkKEmMXNqSZp
> 3j1PTTn7FAylu71W9koU5st4s5TOtJbUQI0kncMlAgEpoDkwNwYJKoZIhvcNAQkO
> MSowKDAmBgNVHREEHzAdgRthZWd5cHRlbnRlc3Q1QGludGV2YXRpb24uZGUwDQYJ
> KoZIhvcNAQEFBQADgYEAA8fyzHGMh9lcSO7v/MuCCVJgQN6+bEDU/GTwsDqsD/tY
> OP/bDdpoBq8FzHNc2xC1u8FfnWbI4SiWSvVZTO2r8bVkMoeINBcfmczKSN+TBm2H
> OYgTge4ivRtKFkHw/4muy6faxKB37IziWeLtkWAkvvSzlby4DWfG/GNEsd5GsIY=
> -----END CERTIFICATE REQUEST-----
> 
> 
> grep '^subjectAltName' /spare/aegypten/openssl/ssl/openssl.cnf
> subjectAltName=email:move
> 
> 
> openssl ca  -noemailDN -policy policy_anything -out newcert.pem
> -infiles newreq.pem
> Using configuration from /spare/aegypten/openssl/ssl/openssl.cnf
> Enter pass phrase for ./demoCA/private/cakey.pem:
> Check that the request matches the signature
> Signature ok
> Certificate Details:
>         Serial Number: 1 (0x1)
>         Validity
>             Not Before: Jun 20 17:04:17 2002 GMT
>             Not After : Jun 20 17:04:17 2003 GMT
>         Subject:
>             countryName               = DE
>             localityName              = Osnabrueck
>             organizationName          = Intevation GmbH
>             organizationalUnitName    = Labs
>             commonName                = Aegypten Test5
>         X509v3 extensions:
>             X509v3 Basic Constraints:
>             CA:FALSE
>             Netscape Comment:
>             OpenSSL Generated Certificate
>             X509v3 Subject Key Identifier:
>             
72:7C:E9:78:AA:BB:01:A2:6F:92:7C:22:03:D1:D0:9E:74:7F:F3:F3
>             X509v3 Authority Key Identifier:
>             
keyid:75:D0:0F:DB:51:35:F0:94:93:D6:53:F6:28:BF:04:CE:C9:F3:58:27
>             DirName:/C=de/ST=Some-State/O=Intevation
> [EMAIL PROTECTED]
>             serial:00
> 
>             X509v3 Subject Alternative Name:
>             <EMPTY>
> 
> Certificate is to be certified until Jun 20 17:04:17 2003 GMT (365
> days)
> Sign the certificate? [y/n]:n
> CERTIFICATE WILL NOT BE CERTIFIED
> 


-- 
Richard Levitte
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to