IPv6 address encoding in commonName

Richard Levitte levitte at openssl.org
Thu Aug 15 05:38:04 UTC 2019 

On Thu, 15 Aug 2019 00:47:41 +0200,
Michael Richardson wrote:
> 
> 
> Robert Moskowitz <rgm at htt-consult.com> wrote:
>     > I am fiddling around with an intermediate CA signing cert that the CA's
>     > 'name' is it HIP (RFC 7401) HIT which is a valid IPv6 address. Actually a
>     > Hierarchical HIT as in draft-moskowitz-hierarchical-hip (to be revised soon).
> 
>     > For a client cert, it would be easy to put the HIT in subjectAltName per RFC
>     > 8002 (with a null subjectName), but a CA cert MUST have a non-empty
>     > subjectName.
> 
>     > Thus all I want in this subjectName is commonName with the HIT.
>     > I am looking for examples of IPv6 addresses in commonName.
> 
> I thought that RFC3779 did exactly what you want, but it does not define new
> Subject DN, but rather a new extension that will be bound to the Subject.
> (I was surprised that RFC3779 was not in the SIDR WG's list of documents,but
> I guess it preceeded the SIDR working group, and occured in PKIX)

OpenSSL does support that extension...  crypto/x509v3/v3_addr.c (moved
to crypto/x509/v3_addr.c in next major version) is all about that as
far as I can see.

Thanks for bringing that up.  Trying to infer some kind of meaning
into commonName would be a mistake (isn't previous such hacks the very
reason we have the subjectAltName extension?)

>     > In practice you could follow the nibble notation as already used
>     > for delegation of IPv6 reverse lookups in DNS.
> 
> so more correctly:
>      DC=2/DC=0/DC=0/DC=1/DC=d/DC=b/DC=8
> 
>     > However for the CN in the end cert you could perhaps use the full
>     > DNS reverse IPv6 name
>     > "x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa"
>     > or the URL/Mail notation "[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]"
>     > where the hex notation shall be the shortest form permitted by the
>     > IPv6 notation spec.
> 
> Bob, this seems like the best immediate hack to me.

"hack" would be the operative word here.  While it's true that this
would fulfill the objective, I frankly wouldn't like to see such a
cert.

Cheers,
Richard

-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-users mailing list