identification: Change abbreviation for surname/serialNumber RDNs
To align with RFC 4519, section 2.31/32, the abbreviation for surname is changed to "SN" that was previously used for serialNumber, which does not have an abbreviation. This mapping had its origins in the X.509 patch for FreeS/WAN that was started in 2000. It was aligned with how OpenSSL did this in earlier versions. However, there it was changed already in March 2002 (commit ffbe98b7630d604263cfb1118c67ca2617a8e222) to make it compatible with RFC 2256 (predecessor of RFC 4519). Co-authored-by: Tobias Brunner <tobias@strongswan.org> Closes strongswan/strongswan#179.
This commit is contained in:
Коренберг Марк
Tobias Brunner
parent
2610cd7928
commit
d8e4a2a777
|
|
@ -19,8 +19,8 @@
|
|||
0x55 "X.500"
|
||||
0x04 "X.509"
|
||||
0x03 "CN" OID_COMMON_NAME
|
||||
0x04 "S" OID_SURNAME
|
||||
0x05 "SN" OID_SERIAL_NUMBER
|
||||
0x04 "SN" OID_SURNAME
|
||||
0x05 "serialNumber" OID_SERIAL_NUMBER
|
||||
0x06 "C" OID_COUNTRY
|
||||
0x07 "L" OID_LOCALITY
|
||||
0x08 "ST" OID_STATE_OR_PROVINCE
|
||||
|
|
|
|||
|
|
@ -67,8 +67,7 @@ static const x501rdn_t x501rdns[] = {
|
|||
{"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING},
|
||||
{"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING},
|
||||
{"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING},
|
||||
{"S", OID_SURNAME, ASN1_PRINTABLESTRING},
|
||||
{"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
|
||||
{"SN", OID_SURNAME, ASN1_PRINTABLESTRING},
|
||||
{"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
|
||||
{"C", OID_COUNTRY, ASN1_PRINTABLESTRING},
|
||||
{"L", OID_LOCALITY, ASN1_PRINTABLESTRING},
|
||||
|
|
@ -217,8 +216,8 @@ METHOD(enumerator_t, rdn_part_enumerate, bool,
|
|||
id_part_t type;
|
||||
} oid2part[] = {
|
||||
{OID_COMMON_NAME, ID_PART_RDN_CN},
|
||||
{OID_SURNAME, ID_PART_RDN_S},
|
||||
{OID_SERIAL_NUMBER, ID_PART_RDN_SN},
|
||||
{OID_SURNAME, ID_PART_RDN_SN},
|
||||
{OID_SERIAL_NUMBER, ID_PART_RDN_SERIAL_NUMBER},
|
||||
{OID_COUNTRY, ID_PART_RDN_C},
|
||||
{OID_LOCALITY, ID_PART_RDN_L},
|
||||
{OID_STATE_OR_PROVINCE, ID_PART_RDN_ST},
|
||||
|
|
|
|||
|
|
@ -183,9 +183,9 @@ enum id_part_t {
|
|||
/** OrganizationUnit RDN of a DN */
|
||||
ID_PART_RDN_OU,
|
||||
/** Surname RDN of a DN */
|
||||
ID_PART_RDN_S,
|
||||
/** SerialNumber RDN of a DN */
|
||||
ID_PART_RDN_SN,
|
||||
/** SerialNumber RDN of a DN */
|
||||
ID_PART_RDN_SERIAL_NUMBER,
|
||||
/** StateOrProvince RDN of a DN */
|
||||
ID_PART_RDN_ST,
|
||||
/** Title RDN of a DN */
|
||||
|
|
|
|||
|
|
@ -460,7 +460,7 @@ mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
|
|||
cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
|
||||
cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
|
||||
|
||||
# Generate another carol certificate with SN=002
|
||||
# Generate another carol certificate with serialNumber=002
|
||||
TEST="${TEST_DIR}/ikev2/two-certs"
|
||||
TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
|
||||
TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
|
||||
|
|
@ -470,7 +470,7 @@ mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs
|
|||
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
|
||||
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
|
||||
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
|
||||
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
|
||||
--serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \
|
||||
--outform pem > ${TEST_CERT}
|
||||
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES
|
|||
carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
|
||||
moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO
|
||||
moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
|
||||
moon:: cat /var/log/daemon.log::using certificate.*OU=Research, serialNumber=002, CN=carol@strongswan.org::YES
|
||||
moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
|
||||
carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
|
||||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
|
||||
|
|
|
|||
Loading…
Reference in New Issue