[openssl-users] [ruby/openssl] instead of looking of NIDs and then using X509V3_EXT_nconf_nid, (#141)
mcr at sandelman.ca
Tue Aug 29 20:09:50 UTC 2017
Thank you so much for the reply.
I will comment in the issue as requested, but I'll do so in email so that I
can CC the openssl-users list.
Kazuki Yamaguchi <notifications at github.com> wrote:
> The ruby-core mailing list or this GitHub issue tracker is the right
> place for questions about ruby-openssl.
mcr> Of concern is that when I look at the resulting certificate:
mcr> dooku-[fountain/spec/certs](2.3.0) mcr 10006 %openssl x509 -noout -text
mcr> -in 12-00-00-66-4D-02.crt Certificate: ... X509v3 Subject Alternative
mcr> Name: othername: 126.96.36.199.4.1.46930.2: ..http://www.sandelman.ca
mcr> Looking at a hexdump I see "0x0c" and "0x17" prior to the http, but
mcr> maybe it's a length or something.... I wondered if there was garbage or
mcr> a UTF-8 BOM or something inserted.. so, I pointed asn1parse at the
mcr> result, and I see:
ky> NIDs can be added at run time with OpenSSL::ASN1::ObjectId.register
ky> (which calls OBJ_create()), but yes, this should be fixed.
I did not find a way to call OBJ_create() from ruby. Is there one?
Many OpenSSL FAQs suggest you need to hack objects.h and recompile, which is
clearly a PITA if you are trying to live above distribute ruby binaries, so I
was looking for another way.
ky> For whatever reason, OpenSSL::X509::ExtensionFactory#create_ext has
ky> accepted long names which aren't handled by the non-generic extensions
ky> path of X509V3_EXT_nconf(). For compatibility I guess it will be like
Ah, that's why it uses that way.
I'll add that code to my tree, and update the pull request.
Are there regression tests which cover that?
I was hoping travis would tell me about such failures that I didn't know
ky> It's working as expected. The ASN.1 type definition of Extension is:
ky> -- contains the DER encoding of an ASN.1 value
ky> The leading "\x0c\x17" is the BER tag and the length of the UTF8String
ky> encapsulated in the 'extnValue'.
okay, so "openssl x509 -text" is failing to decode that then.
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 487 bytes
Desc: not available
More information about the openssl-users