To align with RFC 4519, section 2.31/32, the abbreviation for surname
is changed to "SN" that was previously used for serialNumber, which does
not have an abbreviation.
This mapping had its origins in the X.509 patch for FreeS/WAN that was
started in 2000. It was aligned with how OpenSSL did this in earlier
versions. However, there it was changed already in March 2002 (commit
ffbe98b7630d604263cfb1118c67ca2617a8e222) to make it compatible with
RFC 2256 (predecessor of RFC 4519).
Co-authored-by: Tobias Brunner <tobias@strongswan.org>
Closes strongswan/strongswan#179.
0x55 "X.500"
0x04 "X.509"
0x03 "CN" OID_COMMON_NAME
- 0x04 "S" OID_SURNAME
- 0x05 "SN" OID_SERIAL_NUMBER
+ 0x04 "SN" OID_SURNAME
+ 0x05 "serialNumber" OID_SERIAL_NUMBER
0x06 "C" OID_COUNTRY
0x07 "L" OID_LOCALITY
0x08 "ST" OID_STATE_OR_PROVINCE
{"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING},
{"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING},
{"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING},
- {"S", OID_SURNAME, ASN1_PRINTABLESTRING},
- {"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
+ {"SN", OID_SURNAME, ASN1_PRINTABLESTRING},
{"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING},
{"C", OID_COUNTRY, ASN1_PRINTABLESTRING},
{"L", OID_LOCALITY, ASN1_PRINTABLESTRING},
id_part_t type;
} oid2part[] = {
{OID_COMMON_NAME, ID_PART_RDN_CN},
- {OID_SURNAME, ID_PART_RDN_S},
- {OID_SERIAL_NUMBER, ID_PART_RDN_SN},
+ {OID_SURNAME, ID_PART_RDN_SN},
+ {OID_SERIAL_NUMBER, ID_PART_RDN_SERIAL_NUMBER},
{OID_COUNTRY, ID_PART_RDN_C},
{OID_LOCALITY, ID_PART_RDN_L},
{OID_STATE_OR_PROVINCE, ID_PART_RDN_ST},
/** OrganizationUnit RDN of a DN */
ID_PART_RDN_OU,
/** Surname RDN of a DN */
- ID_PART_RDN_S,
- /** SerialNumber RDN of a DN */
ID_PART_RDN_SN,
+ /** SerialNumber RDN of a DN */
+ ID_PART_RDN_SERIAL_NUMBER,
/** StateOrProvince RDN of a DN */
ID_PART_RDN_ST,
/** Title RDN of a DN */
cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private
cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
-# Generate another carol certificate with SN=002
+# Generate another carol certificate with serialNumber=002
TEST="${TEST_DIR}/ikev2/two-certs"
TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem"
TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem"
pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
--in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
- --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \
+ --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \
--outform pem > ${TEST_CERT}
cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO
-moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::using certificate.*OU=Research, serialNumber=002, CN=carol@strongswan.org::YES
moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
projects / thirdparty / strongswan.git / commitdiff
