subject:"strangeness in `x509 \-noout \-text` output"

Re: strangeness in `x509 -noout -text` output

2002-04-30 Thread Robert Joop


On 02-04-29 10:33:10 CEST, Michael Bell wrote:
> I found a small problem with -nameopt RFC2253:
> 
> The X509v3 Authority Key Identifier doesn't use -nameopt for DirName. Is
> this DN stored as a string?

it depends on what you mean by string.
it is stored as an OCTET STRING that contains an ASN.1 structure with
a SEQUENCE with a DN:

a certificate parsed with asn1parse:
[...]
  512:d=4  hl=3 l= 199 cons: SEQUENCE  
  515:d=5  hl=2 l=   3 prim:  OBJECT:X509v3 Authority Key Identifier
  520:d=5  hl=3 l= 191 prim:  OCTET STRING  
[...]

same cert, asn1parse -strparse 520:

0:d=0  hl=3 l= 188 cons: SEQUENCE  
3:d=1  hl=2 l=  20 prim:  cont [ 0 ]
   25:d=1  hl=3 l= 160 cons:  cont [ 1 ]
   28:d=2  hl=3 l= 157 cons:   cont [ 4 ]
   31:d=3  hl=3 l= 154 cons:SEQUENCE  
   34:d=4  hl=2 l=  11 cons: SET   
   36:d=5  hl=2 l=   9 cons:  SEQUENCE  
   38:d=6  hl=2 l=   3 prim:   OBJECT:countryName
   43:d=6  hl=2 l=   2 prim:   PRINTABLESTRING   :DE
   47:d=4  hl=2 l=  15 cons: SET   
   49:d=5  hl=2 l=  13 cons:  SEQUENCE  
   51:d=6  hl=2 l=   3 prim:   OBJECT:localityName
   56:d=6  hl=2 l=   6 prim:   PRINTABLESTRING   :Berlin
[and so on...]

(and i guess this explains why it would make sense to pass the nameopt
flags into the extension code like steve wrote.)

rj
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-30 Thread Robert Joop

On 02-04-30 10:59:08 CEST, Michael Bell wrote:
> Lutz Jaenicke schrieb:
> > 
> > On Mon, Apr 29, 2002 at 10:33:10AM +0200, Michael Bell wrote:
> >  
> > > The only problem for the future is the support of this flag in all the
> > > other tools (especially ca and req have problems with their option
> > > -subj).
> >
> > Robert Joop sent a patch last week (not applied, yet). Does it solve the
> > problems you mention?
> 
> The problem which I mean is more general. The parser of the value which
> is passed to openssl -subj is not really clever. So the my comment was
> only a notice for the future. It is not relevant for 0.9.7.

would you care to elaborate?
what will be missing after we can give escaped characters to the -subj
argument?

one potential problem not far away: applications that parse index.txt
run into problems because the / characters inside RDNs are not escaped.
(but they could be, other characters are denoted as \xXX already, äöüß
become \xE4\xF6\xFC\xDF (which reminds me of the
stuff-all-8bit-charsets-into-T.61-problem, but that's another topic...).)

> Another problem (which I found yesterday evening) are req and crl. Both
> tools don't have the option -nameopt but they display an issuer (crl) or
> a DN (req). Perhaps the new functions (to display the DN in various
> formats) are not usable for them because they are x509-functions.

i sent a patch for this to this list yesterday.

rj
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-30 Thread Michael Bell

Lutz Jaenicke schrieb:
> 
> On Mon, Apr 29, 2002 at 10:33:10AM +0200, Michael Bell wrote:
>  
> > The only problem for the future is the support of this flag in all the
> > other tools (especially ca and req have problems with their option
> > -subj).
>
> Robert Joop sent a patch last week (not applied, yet). Does it solve the
> problems you mention?

The problem which I mean is more general. The parser of the value which
is passed to openssl -subj is not really clever. So the my comment was
only a notice for the future. It is not relevant for 0.9.7.

Another problem (which I found yesterday evening) are req and crl. Both
tools don't have the option -nameopt but they display an issuer (crl) or
a DN (req). Perhaps the new functions (to display the DN in various
formats) are not usable for them because they are x509-functions.

Michael
-- 
---
Michael Bell   Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email:  [EMAIL PROTECTED]
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany   http://www.openca.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-30 Thread Lutz Jaenicke


On Mon, Apr 29, 2002 at 10:33:10AM +0200, Michael Bell wrote:
> Lutz Jaenicke schrieb:
> > 
> > On Sun, Apr 28, 2002 at 08:07:43PM +0100, Dr S N Henson wrote:
> > > However a new FAQ entry might be in order or possibly changing the
> > > default display options so that the old behaviour is no longer the
> > > default and adding a "-nameopt old" option is explicitly needed instead.
> > 
> > -nameopt compat shall retain compatibility.
> > Hmm, make "oneline" the new default? Or rather leave it "as is" and just
> > add it to the FAQ. Robert Joop and Michael Bell, active in discussing
> > DN issues, are with the OpenCA project. It should be possible for them
> > to catch the problem by using an appropriate command line flag when
> > calling "openssl x509".
> 
> I think the FAQ entry is enough. If you set a new default then you can
> surprise many small scripts and their users. The flag -nameopt is a good
> solution.

I have added the entry.

> The only problem for the future is the support of this flag in all the
> other tools (especially ca and req have problems with their option
> -subj).

Robert Joop sent a patch last week (not applied, yet). Does it solve the
problems you mention?

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-30 Thread Dr. Stephen Henson

On Mon, Apr 29, 2002, Michael Bell wrote:

> 
> I found a small problem with -nameopt RFC2253:
> 
> The X509v3 Authority Key Identifier doesn't use -nameopt for DirName. Is
> this DN stored as a string?
> 

Yes it is and fixing this would need some non trivial changes to pass the
nameopt flags to the extension code. Maybe in 0.9.8...

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-29 Thread Michael Bell


Lutz Jaenicke schrieb:
> 
> On Sun, Apr 28, 2002 at 08:07:43PM +0100, Dr S N Henson wrote:
> > However a new FAQ entry might be in order or possibly changing the
> > default display options so that the old behaviour is no longer the
> > default and adding a "-nameopt old" option is explicitly needed instead.
> 
> -nameopt compat shall retain compatibility.
> Hmm, make "oneline" the new default? Or rather leave it "as is" and just
> add it to the FAQ. Robert Joop and Michael Bell, active in discussing
> DN issues, are with the OpenCA project. It should be possible for them
> to catch the problem by using an appropriate command line flag when
> calling "openssl x509".

I think the FAQ entry is enough. If you set a new default then you can
surprise many small scripts and their users. The flag -nameopt is a good
solution.

The only problem for the future is the support of this flag in all the
other tools (especially ca and req have problems with their option
-subj).

I found a small problem with -nameopt RFC2253:

The X509v3 Authority Key Identifier doesn't use -nameopt for DirName. Is
this DN stored as a string?

Michael
-- 
---
Michael Bell   Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email:  [EMAIL PROTECTED]
Humboldt-University of Berlin  Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax:  +49 (0)30-2093 2959
10099 Berlin
Germany   http://www.openca.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-28 Thread Lutz Jaenicke


On Sun, Apr 28, 2002 at 08:07:43PM +0100, Dr S N Henson wrote:
> By default the code ultimately uses the old X509_NAME_print function to
> display DNs. This results in the weirdness mentioned and all manner of
> odd output if the DN contains things like BMPStrings.
> 
> X509_NAME_print is only retained for compatibility. Changing it might do
> odd things if anyone parses or hashes its output for some reason: that
> isn't advisable but something might.
> 
> If appropriate flags are passed to the X509_print_ex function then much
> more sensible output is produced using the X509_NAME_print_ex function.
> The -nameopt option can be used for this (see manual page): -nameopt
> oneline is a good place to start.
> 
> I'd say that X509_NAME_print shouldn't be touched because new code
> should call X509_NAME_print_ex() 
> 
> However a new FAQ entry might be in order or possibly changing the
> default display options so that the old behaviour is no longer the
> default and adding a "-nameopt old" option is explicitly needed instead.

-nameopt compat shall retain compatibility.
Hmm, make "oneline" the new default? Or rather leave it "as is" and just
add it to the FAQ. Robert Joop and Michael Bell, active in discussing
DN issues, are with the OpenCA project. It should be possible for them
to catch the problem by using an appropriate command line flag when
calling "openssl x509".
With 0.9.7 we have traded compatibility in some cases. Applications linking
against OpenSSL can always check OPENSSL_VERSION. This is far more
difficult for applications externally calling OpenSSL's command line
tools...

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-28 Thread Dr S N Henson

Lutz Jaenicke wrote:
> 
> On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote:
> > `x509 -noout -text` prints inconsistent output.
> >
> > ...> openssl x509 -noout -text -in old.pem | grep Issuer:
> > Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
> > ...> openssl x509 -noout -text -in new.pem | grep Issuer:
> > Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED]
> >
> > see the "/" that magically appears, instead of a ", "?
> > if found the place that does this magic and commented it out:
> >
> > ...> openssl x509 -noout -text -in old.pem | grep Issuer:
> > Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
> > ...> openssl x509 -noout -text -in new.pem | grep Issuer:
> > Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED]
> >
> > it does it because the type "emailAddress" starts lower case!
> 
> Your analysis is technically correct. If the object name is starting with
> an uppercase letter, the "/" is replaced with the ", ", otherwise it is
> not.
> However: the section you are essentially removing (by commenting out)
> may be there for a reason. I have not used this functionality myself,
> so I don't know why this distinction is made. Therefore I am reluctant
> to touch it. Steve, could you kindly have a look into this?
> 

By default the code ultimately uses the old X509_NAME_print function to
display DNs. This results in the weirdness mentioned and all manner of
odd output if the DN contains things like BMPStrings.

X509_NAME_print is only retained for compatibility. Changing it might do
odd things if anyone parses or hashes its output for some reason: that
isn't advisable but something might.

If appropriate flags are passed to the X509_print_ex function then much
more sensible output is produced using the X509_NAME_print_ex function.
The -nameopt option can be used for this (see manual page): -nameopt
oneline is a good place to start.

I'd say that X509_NAME_print shouldn't be touched because new code
should call X509_NAME_print_ex() 

However a new FAQ entry might be in order or possibly changing the
default display options so that the old behaviour is no longer the
default and adding a "-nameopt old" option is explicitly needed instead.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-28 Thread Richard Levitte - VMS Whacker


In message <[EMAIL PROTECTED]> on Sun, 28 Apr 2002 
19:59:33 +0200, Lutz Jaenicke <[EMAIL PROTECTED]> said:

Lutz.Jaenicke> On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote:
Lutz.Jaenicke> > `x509 -noout -text` prints inconsistent output.
Lutz.Jaenicke> > 
Lutz.Jaenicke> > ...> openssl x509 -noout -text -in old.pem | grep Issuer:
Lutz.Jaenicke> > Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de 
Cordoba, C=ES
Lutz.Jaenicke> > ...> openssl x509 -noout -text -in new.pem | grep Issuer:
Lutz.Jaenicke> > Issuer: C=ES, O=Universidad de Cordoba, CN=AC 
[EMAIL PROTECTED]
Lutz.Jaenicke> > 
Lutz.Jaenicke> > see the "/" that magically appears, instead of a ", "?
Lutz.Jaenicke> > if found the place that does this magic and commented it out:
Lutz.Jaenicke> > 
Lutz.Jaenicke> > ...> openssl x509 -noout -text -in old.pem | grep Issuer:
Lutz.Jaenicke> > Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de 
Cordoba, C=ES
Lutz.Jaenicke> > ...> openssl x509 -noout -text -in new.pem | grep Issuer:
Lutz.Jaenicke> > Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, 
[EMAIL PROTECTED]
Lutz.Jaenicke> > 
Lutz.Jaenicke> > it does it because the type "emailAddress" starts lower case!
Lutz.Jaenicke> 
Lutz.Jaenicke> Your analysis is technically correct. If the object name is starting 
with
Lutz.Jaenicke> an uppercase letter, the "/" is replaced with the ", ", otherwise it is
Lutz.Jaenicke> not.

Note that with 0.9.7, 'openssl x509' comes with the new option
-nameopt, where you can choose from a number of formats.  They are
documented at http://www.openssl.org/docs/apps/x509.html#NAME_OPTIONS

Lutz.Jaenicke> However: the section you are essentially removing (by commenting out)
Lutz.Jaenicke> may be there for a reason. I have not used this functionality myself,
Lutz.Jaenicke> so I don't know why this distinction is made. Therefore I am reluctant
Lutz.Jaenicke> to touch it. Steve, could you kindly have a look into this?

Yup, do not apply that patch.  That'll destroy compatibility for
applications that depend on this string format.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: strangeness in `x509 -noout -text` output

2002-04-28 Thread Lutz Jaenicke


On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote:
> `x509 -noout -text` prints inconsistent output.
> 
> ...> openssl x509 -noout -text -in old.pem | grep Issuer:
> Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
> ...> openssl x509 -noout -text -in new.pem | grep Issuer:
> Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED]
> 
> see the "/" that magically appears, instead of a ", "?
> if found the place that does this magic and commented it out:
> 
> ...> openssl x509 -noout -text -in old.pem | grep Issuer:
> Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
> ...> openssl x509 -noout -text -in new.pem | grep Issuer:
> Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED]
> 
> it does it because the type "emailAddress" starts lower case!

Your analysis is technically correct. If the object name is starting with
an uppercase letter, the "/" is replaced with the ", ", otherwise it is
not.
However: the section you are essentially removing (by commenting out)
may be there for a reason. I have not used this functionality myself,
so I don't know why this distinction is made. Therefore I am reluctant
to touch it. Steve, could you kindly have a look into this?

> --- orig/openssl-SNAP-20020423/crypto/asn1/t_x509.c   Wed Feb 13 20:00:30 2002
> +++ openssl-SNAP-20020423/crypto/asn1/t_x509.cFri Apr 26 11:50:13 2002
> @@ -460,12 +461,12 @@
>   for (;;)
>   {
>  #ifndef CHARSET_EBCDIC
> - if (((*s == '/') &&
> + if (((*s == '/') /*&&
>   ((s[1] >= 'A') && (s[1] <= 'Z') && (
>   (s[2] == '=') ||
>   ((s[2] >= 'A') && (s[2] <= 'Z') &&
>   (s[3] == '='))
> -  ))) ||
> +  ))*/) ||
>   (*s == '\0'))
>  #else
>   if (((*s == '/') &&


Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

strangeness in `x509 -noout -text` output

2002-04-26 Thread Robert Joop


`x509 -noout -text` prints inconsistent output.

...> openssl x509 -noout -text -in old.pem | grep Issuer:
Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
...> openssl x509 -noout -text -in new.pem | grep Issuer:
Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED]

see the "/" that magically appears, instead of a ", "?
if found the place that does this magic and commented it out:

...> openssl x509 -noout -text -in old.pem | grep Issuer:
Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES
...> openssl x509 -noout -text -in new.pem | grep Issuer:
Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED]

it does it because the type "emailAddress" starts lower case!

rj


--- orig/openssl-SNAP-20020423/crypto/asn1/t_x509.c Wed Feb 13 20:00:30 2002
+++ openssl-SNAP-20020423/crypto/asn1/t_x509.c  Fri Apr 26 11:50:13 2002
@@ -460,12 +461,12 @@
for (;;)
{
 #ifndef CHARSET_EBCDIC
-   if (((*s == '/') &&
+   if (((*s == '/') /*&&
((s[1] >= 'A') && (s[1] <= 'Z') && (
(s[2] == '=') ||
((s[2] >= 'A') && (s[2] <= 'Z') &&
(s[3] == '='))
-))) ||
+))*/) ||
(*s == '\0'))
 #else
if (((*s == '/') &&

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

Re: strangeness in `x509 -noout -text` output

strangeness in `x509 -noout -text` output

11 matches

Site Navigation

Mail list logo

Footer information