Re: Examples of adding Private Enterprise Numbers (PEN's) Extensions to CSR

2021-10-15 Thread Jakob Bohm via openssl-users 

On 2021-10-14 18:43, Philip Prindeville wrote:

Hi,

I need to generate CSR's with some Extensions included that use our PEN's as 
allocated by IANA.

Are there any examples of this?

Also, I'm looking at X509_REQ_add_extensions_nid() and it takes a 
STACK_OF(X509_EXTENSION) but it doesn't seem to actually iterate through the 
stack...  Is this code even correct?  What am I missing?  Ditto for 
X509_REQ_add_extensions().

Thanks,

-Philip


I don't know how to do this via the API, but the source code for the
command line tools may give some good clues.  Here is how I would do it
with the command line tools:

First of all, you need to (administratively) decide how to subdivide
your private OID tree belowyour enterprise ID.  This would be a
company internal document listing how you use the OIDsand where to
put future OIDs of various kinds.  Use whatever document editing
system is usedfor other long term company documents.  Something like:

   Redfish solutions has been allocated the following OID prefix
   via the IANA "Enterprise numbers"process:

   RedfishOid = 1.3.6.1.4.1.999

   We subdivide this as follows:

   RedfishOid.1 = Redfish X.509 extensions
   RedfishOid.1.1 = FooBar extension, see design document RS12345
   RedfishOid.1.2 = BazQux extension, see design document RS12346
   RedfishOid.2 = Redfish SNMP extensions
   RedfishOid.2.1 = Redfish hardware-box-A SNMP extensions
   RedfishOid.3 = Redfish contributions to public standardisation efforts
   RedfishOid.4 = Redfish internal LDAP extensions used by HR

Next for the OpenSSL command line tools, you need to add the individual
X.509 relatedOIDs to the openssl.cnf file:

   In the [default] section:
   oid_section = new_oids

   In the [new_oids] section
   RedFishFooBar=1.3.6.1.4.1.999.1.1
   RedFishBazQux=1.3.6.1.4.1.999.1.2

From there, you should be able to use the new OID names in relevant
sections and options, using the generic syntax that explicitly
states how each value needs to beencoded.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Re: Disable installation of docs

2021-10-15 Thread Matt Caswell 

Instead of:

make install

Do:

make install_sw install_ssldirs

Matt

On 15/10/2021 12:56, Armin Novak wrote:

Hi,


I need to deploy custom builds for OpenSSL for some packages I maintain
(flatpak/snap/windows/mac/...)

Most of the build/install time is spent installing the /usr/share/doc
stuff, which is not used in that case anyway.


Is there some configuration option to disable this without the need to
patch the build system?


regards

Armin

Disable installation of docs

2021-10-15 Thread Armin Novak 
Hi,


I need to deploy custom builds for OpenSSL for some packages I maintain
(flatpak/snap/windows/mac/...)

Most of the build/install time is spent installing the /usr/share/doc
stuff, which is not used in that case anyway.


Is there some configuration option to disable this without the need to
patch the build system?


regards

Armin