[openssl-users] [ruby/openssl] instead of looking of NIDs and then using X509V3_EXT_nconf_nid, (#141)

Michael Richardson mcr at sandelman.ca
Tue Aug 29 20:09:50 UTC 2017

Thank you so much for the reply.

I will comment in the issue as requested, but I'll do so in email so that I
can CC the openssl-users list.

Kazuki Yamaguchi <notifications at github.com> wrote:
    > The ruby-core mailing list or this GitHub issue tracker is the right
    > place for questions about ruby-openssl.

    mcr> Of concern is that when I look at the resulting certificate:

    mcr> dooku-[fountain/spec/certs](2.3.0) mcr 10006 %openssl x509 -noout -text
    mcr> -in 12-00-00-66-4D-02.crt Certificate: ...  X509v3 Subject Alternative
    mcr> Name: othername: ..http://www.sandelman.ca

    mcr> Looking at a hexdump I see "0x0c" and "0x17" prior to the http, but
    mcr> maybe it's a length or something.... I wondered if there was garbage or
    mcr> a UTF-8 BOM or something inserted..  so, I pointed asn1parse at the
    mcr> result, and I see:

ky> NIDs can be added at run time with OpenSSL::ASN1::ObjectId.register
ky> (which calls OBJ_create()), but yes, this should be fixed.

I did not find a way to call OBJ_create() from ruby.  Is there one?
Many OpenSSL FAQs suggest you need to hack objects.h and recompile, which is
clearly a PITA if you are trying to live above distribute ruby binaries, so I
was looking for another way.

ky> For whatever reason, OpenSSL::X509::ExtensionFactory#create_ext has
ky> accepted long names which aren't handled by the non-generic extensions
ky> path of X509V3_EXT_nconf(). For compatibility I guess it will be like
ky> this...

Ah, that's why it uses that way.
I'll add that code to my tree, and update the pull request.

Are there regression tests which cover that?
I was hoping travis would tell me about such failures that I didn't know
about :-)

ky> It's working as expected. The ASN.1 type definition of Extension is:

ky>                 -- contains the DER encoding of an ASN.1 value

ky> The leading "\x0c\x17" is the BER tag and the length of the UTF8String
ky> encapsulated in the 'extnValue'.

okay, so "openssl x509 -text" is failing to decode that then.

#  @value="http://www.sandelman.ca">


]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170829/b2a9f7a0/attachment.sig>

More information about the openssl-users mailing list