IPv6 address encoding in commonName
levitte at openssl.org
Thu Aug 15 05:38:04 UTC 2019
On Thu, 15 Aug 2019 00:47:41 +0200,
Michael Richardson wrote:
> Robert Moskowitz <rgm at htt-consult.com> wrote:
> > I am fiddling around with an intermediate CA signing cert that the CA's
> > 'name' is it HIP (RFC 7401) HIT which is a valid IPv6 address. Actually a
> > Hierarchical HIT as in draft-moskowitz-hierarchical-hip (to be revised soon).
> > For a client cert, it would be easy to put the HIT in subjectAltName per RFC
> > 8002 (with a null subjectName), but a CA cert MUST have a non-empty
> > subjectName.
> > Thus all I want in this subjectName is commonName with the HIT.
> > I am looking for examples of IPv6 addresses in commonName.
> I thought that RFC3779 did exactly what you want, but it does not define new
> Subject DN, but rather a new extension that will be bound to the Subject.
> (I was surprised that RFC3779 was not in the SIDR WG's list of documents,but
> I guess it preceeded the SIDR working group, and occured in PKIX)
OpenSSL does support that extension... crypto/x509v3/v3_addr.c (moved
to crypto/x509/v3_addr.c in next major version) is all about that as
far as I can see.
Thanks for bringing that up. Trying to infer some kind of meaning
into commonName would be a mistake (isn't previous such hacks the very
reason we have the subjectAltName extension?)
> > In practice you could follow the nibble notation as already used
> > for delegation of IPv6 reverse lookups in DNS.
> so more correctly:
> > However for the CN in the end cert you could perhaps use the full
> > DNS reverse IPv6 name
> > "x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa"
> > or the URL/Mail notation "[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]"
> > where the hex notation shall be the shortest form permitted by the
> > IPv6 notation spec.
> Bob, this seems like the best immediate hack to me.
"hack" would be the operative word here. While it's true that this
would fulfill the objective, I frankly wouldn't like to see such a
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-users