From: Коренберг Марк Date: Wed, 15 Jul 2020 08:25:56 +0000 (+0500) Subject: identification: Change abbreviation for surname/serialNumber RDNs X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d8e4a2a777e1c047f79cf5340d8339d0d980c9fc;p=people%2Fms%2Fstrongswan.git identification: Change abbreviation for surname/serialNumber RDNs To align with RFC 4519, section 2.31/32, the abbreviation for surname is changed to "SN" that was previously used for serialNumber, which does not have an abbreviation. This mapping had its origins in the X.509 patch for FreeS/WAN that was started in 2000. It was aligned with how OpenSSL did this in earlier versions. However, there it was changed already in March 2002 (commit ffbe98b7630d604263cfb1118c67ca2617a8e222) to make it compatible with RFC 2256 (predecessor of RFC 4519). Co-authored-by: Tobias Brunner Closes strongswan/strongswan#179. --- diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 723cb36fc..b09f9eafa 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -19,8 +19,8 @@ 0x55 "X.500" 0x04 "X.509" 0x03 "CN" OID_COMMON_NAME - 0x04 "S" OID_SURNAME - 0x05 "SN" OID_SERIAL_NUMBER + 0x04 "SN" OID_SURNAME + 0x05 "serialNumber" OID_SERIAL_NUMBER 0x06 "C" OID_COUNTRY 0x07 "L" OID_LOCALITY 0x08 "ST" OID_STATE_OR_PROVINCE diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index eabf74584..0175f8da9 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -67,8 +67,7 @@ static const x501rdn_t x501rdns[] = { {"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING}, {"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING}, {"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING}, - {"S", OID_SURNAME, ASN1_PRINTABLESTRING}, - {"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING}, + {"SN", OID_SURNAME, ASN1_PRINTABLESTRING}, {"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING}, {"C", OID_COUNTRY, ASN1_PRINTABLESTRING}, {"L", OID_LOCALITY, ASN1_PRINTABLESTRING}, @@ -217,8 +216,8 @@ METHOD(enumerator_t, rdn_part_enumerate, bool, id_part_t type; } oid2part[] = { {OID_COMMON_NAME, ID_PART_RDN_CN}, - {OID_SURNAME, ID_PART_RDN_S}, - {OID_SERIAL_NUMBER, ID_PART_RDN_SN}, + {OID_SURNAME, ID_PART_RDN_SN}, + {OID_SERIAL_NUMBER, ID_PART_RDN_SERIAL_NUMBER}, {OID_COUNTRY, ID_PART_RDN_C}, {OID_LOCALITY, ID_PART_RDN_L}, {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST}, diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index e2be67bbf..90d945d3f 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -183,9 +183,9 @@ enum id_part_t { /** OrganizationUnit RDN of a DN */ ID_PART_RDN_OU, /** Surname RDN of a DN */ - ID_PART_RDN_S, - /** SerialNumber RDN of a DN */ ID_PART_RDN_SN, + /** SerialNumber RDN of a DN */ + ID_PART_RDN_SERIAL_NUMBER, /** StateOrProvince RDN of a DN */ ID_PART_RDN_ST, /** Title RDN of a DN */ diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 714afdbd7..4847a2d45 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -460,7 +460,7 @@ mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs -# Generate another carol certificate with SN=002 +# Generate another carol certificate with serialNumber=002 TEST="${TEST_DIR}/ikev2/two-certs" TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem" TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem" @@ -470,7 +470,7 @@ mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ - --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \ --outform pem > ${TEST_CERT} cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 41601102f..f1b252c4b 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -3,7 +3,7 @@ moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO -moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::using certificate.*OU=Research, serialNumber=002, CN=carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES