|
Hi,
While we were porting to 0.9.7D to our latest VMS product, we ran into some issues with [.APPS]OPENSSL-VMS.CNF. The bulleted list of items highlights each area of concern.
· Missing field names in OPENSSL-VMS.CNF
In comparing OPENSSL-VMS.CNF with OPENSSL.CNF, it appears there are a few new items that are not in OPENSSL-VMS.CNF:
- unique_subject - crlnumber - name_opt - cert_opt - copy_extensions - input_password - output_password
· Should crlnumber point to a file?
While the crlnumber is commented out, we were wondering if that is supposed to be pointing to a file similar to SERIAL?
· Where should name_opt and cert_opt be located?
Both name_opt and cert_opt point to ca_default. However, we can not find a ca_default in the file. We can find a CA_default, but the case of the leading CA is different. The other problem here is that if we were to change ca_default to CA_default for these two, the CA_default is located before them in the file.
· nombrstr vs. nobmp.
nombrstr appears in the OPENSSL.CNF file, while nobmp appears in the OPENSSL-VMS.CNF file, but they each have the same value. Has nombrstr replaced nobmp?
· string_mask vs. dirstring_type
The previous bullet is further confused because string_mask appears in OPENSSL.CNF and nobmp appears in OPENSSL-VMS.CNF. Is this another case of string_mask replacing dirstring_type?
· emailAddress_max
The value has increased from 40 to 64. I'm assuming we should be putting this change into OPENSSL-VMS.CNF as well.
· Changes/Diffs
Two patch files between 0.9.7D of OPENSSL.CNF and OPENSSL-VMS.CNF has been included as an attachment. They highlight the changes that we have outlined above. They are in a VMS diff format and a Unix diff format.
While working with the UNIQUE_SUBJECT feature in 0.9.7D, we ran into a couple of problems. The set of fixes are found in DIFFS.DIFF, include fixes to APPS.C, APPS.H, and CA.C, and it has been include as an attachment as well.
We fixed the situation where signing a certificate request a second time would pass the database check, and then fail later on when it tried to write it out to the database. The problem was that it would try to look up the certificate with the new serial number, and naturally not find it. Then, when it tried to write the certificate to the database, it would use the name for the lookup, and fail with “TXT_DB error number 2”. In the case of the error, we added code to clean up the empty file as well.
If you have any questions, please let us know.
Thank you. Kevin
Kevin Greaney OpenVMS Engineering Hewlett-Packard Company 110 Spit Brook Road Nashua, NH 03062
|
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
6 # This definition stops the following lines choking if HOME isn't
7 # defined.
8 HOME = .
9 RANDFILE = $ENV::HOME/.rnd
10
11 # Extra OBJECT IDENTIFIER info:
12 #oid_file = $ENV::HOME/.oid
13 oid_section = new_oids
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
6 RANDFILE = $ENV::HOME/.rnd
7 oid_file = $ENV::HOME/.oid
8 oid_section = new_oids
************
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
37 dir = ./demoCA # Where everything is kept
38 certs = $dir/certs # Where the issued certs are kept
39 crl_dir = $dir/crl # Where the issued crl are kept
40 database = $dir/index.txt # database index file.
41 #unique_subject = no # Set to 'no' to allow creation of
42 # several ctificates with same subject.
43 new_certs_dir = $dir/newcerts # default place for new certs.
44
45 certificate = $dir/cacert.pem # The CA certificate
46 serial = $dir/serial # The current serial number
47 #crlnumber = $dir/crlnumber # the current crl number
48 # must be commented out to leave a V1
CRL
49 crl = $dir/crl.pem # The current CRL
50 private_key = $dir/private/cakey.pem# The private key
51 RANDFILE = $dir/private/.rand # private random number file
52
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
32 dir = sys\$disk:[.demoCA # Where everything is kept
33 certs = $dir.certs] # Where the issued certs are kept
34 crl_dir = $dir.crl] # Where the issued crl are kept
35 database = $dir]index.txt # database index file.
36 new_certs_dir = $dir.newcerts] # default place for new certs.
37
38 certificate = $dir]cacert.pem # The CA certificate
39 serial = $dir]serial. # The current serial number
40 crl = $dir]crl.pem # The current CRL
41 private_key = $dir.private]cakey.pem# The private key
42 RANDFILE = $dir.private].rand # private random number file
43
************
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
55 # Comment out the following two lines for the "traditional"
56 # (and highly broken) format.
57 name_opt = ca_default # Subject Name options
58 cert_opt = ca_default # Certificate field options
59
60 # Extension copying option: use with caution.
61 # copy_extensions = copy
62
63 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
64 # so this is commented out by default to leave a V1 CRL.
65 # crlnumber must also be commented out to leave a V1 CRL.
66 # crl_extensions = crl_ext
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
46 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
47 # so this is commented out by default to leave a V1 CRL.
48 # crl_extensions = crl_ext
************
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
107 # Passwords for private keys if not present they will be prompted for
108 # input_password = secret
109 # output_password = secret
110
111 # This sets a mask for permitted string types. There are several options.
112 # default: PrintableString, T61String, BMPString.
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
89 # This sets the permitted types in a DirectoryString. There are several
90 # options.
91 # default: PrintableString, T61String, BMPString.
************
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
115 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
116 # MASK:XXXX a literal mask value.
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
94 # nobmp : PrintableString, T61String (no BMPStrings).
95 # MASK:XXXX a literal mask value.
************
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
119 string_mask = nombstr
120
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
98 dirstring_type = nobmp
99
************
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
148 emailAddress_max = 64
149
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
127 emailAddress_max = 40
128
************
************
File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
196 # An alternative to produce certificates that aren't
197 # deprecated according to PKIX.
198 # subjectAltName=email:move
199
******
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
175
************
Number of difference sections found: 8
Number of difference records found: 44
DIFFERENCES /IGNORE=()/MERGED=1/OUTPUT=USERE:[GREANEY.TEMP]OPENSSL.CNF_VMS_DIFF;1-
USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1-
USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
--- openssl-vms.cnf_097d Thu Apr 15 14:33:40 2004 +++ openssl.cnf_097d Fri Apr 16 08:37:51 2004 @@ -3,8 +3,13 @@ # This is mostly being used for generation of certificate requests. # +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . RANDFILE = $ENV::HOME/.rnd -oid_file = $ENV::HOME/.oid + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the @@ -29,22 +34,35 @@ #################################################################### [ CA_default ] -dir = sys\$disk:[.demoCA # Where everything is kept -certs = $dir.certs] # Where the issued certs are kept -crl_dir = $dir.crl] # Where the issued crl are kept -database = $dir]index.txt # database index file. -new_certs_dir = $dir.newcerts] # default place for new certs. - -certificate = $dir]cacert.pem # The CA certificate -serial = $dir]serial. # The current serial number -crl = $dir]crl.pem # The current CRL -private_key = $dir.private]cakey.pem# The private key -RANDFILE = $dir.private].rand # private random number file +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +#crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for @@ -86,16 +104,19 @@ attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert -# This sets the permitted types in a DirectoryString. There are several -# options. +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. -# nobmp : PrintableString, T61String (no BMPStrings). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! -dirstring_type = nobmp +string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request @@ -124,7 +145,7 @@ commonName_max = 64 emailAddress = Email Address -emailAddress_max = 40 +emailAddress_max = 64 # SET-ex3 = SET extension number 3 @@ -172,6 +193,9 @@ # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy
diffs.diff
Description: diffs.diff
