Re: Setting Issuer Alternative Name

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

maybe progress?

On 5/12/23 21:58, Viktor Dukhovni wrote:

On Thu, May 11, 2023 at 03:48:52PM -0400, Robert Moskowitz wrote:


No, you would use "otherName", which is a combination of an OID and
corresponding data.  You would register (if there isn't one already) a
suitable OID for DET-values, and choose a suitable DET encoding to go
with that OID.

I was told that the name in openSSL is IP, not as 5280 uses, iPAddress.

If these DET certificates are really IP address certificates (i.e.
authenticate a node at the specified address, as e.g. for establishing
IPSEC connections, or HTTPS connections to IP-address valued origin
URLs, ...), then sure, you could overload the IP address SAN.  But I
suspect that's not the case...


It would seem that some generalName is supported here, but how to code
it in the conf file?

There are example SANs in x509v3_config(5), the last of which is
"otherName":

    otherName can include arbitrary data associated with an OID: the value
    should be the OID followed by a semicolon and the content in standard
    ASN1_generate_nconf(3) format.

    Examples:

     subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/
     subjectAltName=IP:192.168.7.1
     subjectAltName=IP:13::17
     subjectAltName=email:my@other.address,RID:1.2.3.4
     subjectAltName=otherName:1.2.3.4;UTF8:some other identifier

So see also ASN1_generate_nconf(3).


I looked at that manpage and tried:
authorityKeyIdentifier = otherName:1.3.27.16.2.1.1;BITSTR:20010030000000052aeb9adc1ce8b1ec
1.3.27 is ICAO.  16 is "security".  1 is used for the ICAO IATF PKI.  So I am working on them giving me 1.3.27.16.2... 

The error this throws is:
401C5CEDA27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=otherName:1.3.27.16.2.1.1;BITSTR:0x20010030000000052aeb9adc1ce8b1ec 

So I don't have that conf for authorityKeyIdentifier right.  yet.

SEQ did not work either
408C8FF6C27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=otherName:1.3.27.16.2.1.1;SEQ:20010030000000052aeb9adc1ce8b1ec 

What is the proper format?

thanks.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux