[openssl-users] custom name attributes not sent with certificate

Fri Feb 6 15:26:40 UTC 2015

My bad.
I was using the wrong version of the certificate.
Sometimes double checking is not enough. I learned a lesson: Always triple check.
Sorry,
Jacques

-----Original Message-----
From: Florence, Jacques 
Sent: Friday, February 06, 2015 9:38 AM
To: 'openssl-users at openssl.org'
Subject: RE: [openssl-users] custom name attributes not sent with certificate

Jakob,
Thanks for the reply. 
You're right, the cert shouldn't verify if it's changed.
However, using wireshark, I can see the other parts of the name being sent in clear ascii, but not that custom attribute.
Assuming it's encoded in some format.
Once the server receives the cert, it is not able to acces this attribute:
Using X509_NAME_print_ex_fp(...) I don't see that attribute.
Also, if I create an ASN1_OBJECT using OBJ_create() (with the OID and name I assigned in the cnf file) then OBJ_nid2obj(), and then use X509_NAME_get_entry and X509_NAME_ENTRY_get_object, I can display the standard fields, but not my attribute

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Jakob Bohm
Sent: Friday, February 06, 2015 9:15 AM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] custom name attributes not sent with certificate

On 06/02/2015 00:21, Florence, Jacques wrote:
>
> I created a client certificate with custom name attributes:
>
> In the openssl.cnf file, I addedunder section [ new_oids ] the line: 
> myattribute=1.2.3.4
>
> And under [ req_distinguished_name ] I added the line: myattribute = 
> hello
>
> If I use the openssl tool x509, I see that my new attribute appears in 
> the name, after the email address.
>
> However, when the certificate is sent to the server, the server cannot 
> read this attribute.
>
> I used wireshark and saw that my custome attribute is not sent with 
> the rest of the name.
>
> Why is that ?
>
>
Are you sure this is what is really happening?

If any byte in the signed part of the certificate (and this most certainly includes the name) is changed, the certificate should completely fail to verify.

So are you sure the name isn't sent?  Maybe it is just the utility you use to display the sent certificate which fails to display unknown name components.

P.S.

I presume that for any real use, you would use an officially allocated OID to avoid clashing with what other people use.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users