[openssl-users] Custom OID strange characters

Robert Sandilands rsandila at netscape.net
Tue Aug 11 16:24:31 UTC 2015 

I am trying to build a certificate request with a custom OID and it is encoding strange characters in the certificate.

For example I specify the following line in the .cnf file:
bla_policy = ASN1:PRINTABLESTRING:blabla
Then I get the following when I dump the csr:
           1.2.3.4.5.6.7: 
                ..blabla

The “..” seems to be somewhat random and does not seem to encode a length or anything else. Any ideas on how I can get rid of those two random characters or why I am getting them?

More detail:

OpenSSL version:
1.0.1e on Windows and 1.0.1e.42.el7.9 on Centos 7.
 
Given the following script:
#!/bin/bash
 
KEYNAME=test.key
CSRNAME=test.csr
SUBJECT="/C=US/ST=Georgia/L=Atlanta/O=Bla/CN=test/emailAddress=certs at bla.com <mailto:C=US/ST=Georgia/L=Atlanta/O=Bla/CN=test/emailAddress=certs at bla.com>"
DAYS=365
 
echo Cleaning up
rm $KEYNAME $CSRNAME
echo Generating key $KEYNAME
openssl genrsa -out $KEYNAME 2048
echo Generating req $CSRNAME
openssl req -new -key $KEYNAME -out $CSRNAME -nodes -subj "$SUBJECT" -verbose -config req.cnf
if [ -f $CSRNAME ]; then
  openssl req -in $CSRNAME -text -noout  | less
fi
 
And the following req.cnf:
oid_section             = new_oids
 
[ new_oids ]
bla_policy = 1.2.3.4.5.6.7
 
[ req ]
default_bits            = 2048
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
req_extensions = v3_req
 
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = XX
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
localityName                    = Locality Name (eg, city)
localityName_default            = Default City
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Default Company Ltd
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64
 
[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name
 
[ v3_req ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature, nonRepudiation, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement
extendedKeyUsage=clientAuth, emailProtection
bla_policy = ASN1:PRINTABLESTRING:blabla
 
Get the following output:
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=Georgia, L=Atlanta, O=Bla, CN=test/emailAddress=certs at bla.com <mailto:CN=test/emailAddress=certs at bla.com>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
… (Deleted for clarity)
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            1.2.3.4.5.6.7: 
                ..blabla
    Signature Algorithm: sha256WithRSAEncryption
… (Deleted for clarity)
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150811/3bf07b55/attachment-0001.html>

More information about the openssl-users mailing list