From: Коренберг Марк Date: Wed, 15 Jul 2020 08:25:56 +0000 (+0500) Subject: identification: Change abbreviation for surname/serialNumber RDNs X-Git-Tag: 5.9.2dr2~25 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8e4a2a777e1c047f79cf5340d8339d0d980c9fc;p=thirdparty%2Fstrongswan.git identification: Change abbreviation for surname/serialNumber RDNs To align with RFC 4519, section 2.31/32, the abbreviation for surname is changed to "SN" that was previously used for serialNumber, which does not have an abbreviation. This mapping had its origins in the X.509 patch for FreeS/WAN that was started in 2000. It was aligned with how OpenSSL did this in earlier versions. However, there it was changed already in March 2002 (commit ffbe98b7630d604263cfb1118c67ca2617a8e222) to make it compatible with RFC 2256 (predecessor of RFC 4519). Co-authored-by: Tobias Brunner Closes strongswan/strongswan#179. --- diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 723cb36fcd..b09f9eafa6 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -19,8 +19,8 @@ 0x55 "X.500" 0x04 "X.509" 0x03 "CN" OID_COMMON_NAME - 0x04 "S" OID_SURNAME - 0x05 "SN" OID_SERIAL_NUMBER + 0x04 "SN" OID_SURNAME + 0x05 "serialNumber" OID_SERIAL_NUMBER 0x06 "C" OID_COUNTRY 0x07 "L" OID_LOCALITY 0x08 "ST" OID_STATE_OR_PROVINCE diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index eabf745844..0175f8da93 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -67,8 +67,7 @@ static const x501rdn_t x501rdns[] = { {"UID", OID_PILOT_USERID, ASN1_PRINTABLESTRING}, {"DC", OID_PILOT_DOMAIN_COMPONENT, ASN1_PRINTABLESTRING}, {"CN", OID_COMMON_NAME, ASN1_PRINTABLESTRING}, - {"S", OID_SURNAME, ASN1_PRINTABLESTRING}, - {"SN", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING}, + {"SN", OID_SURNAME, ASN1_PRINTABLESTRING}, {"serialNumber", OID_SERIAL_NUMBER, ASN1_PRINTABLESTRING}, {"C", OID_COUNTRY, ASN1_PRINTABLESTRING}, {"L", OID_LOCALITY, ASN1_PRINTABLESTRING}, @@ -217,8 +216,8 @@ METHOD(enumerator_t, rdn_part_enumerate, bool, id_part_t type; } oid2part[] = { {OID_COMMON_NAME, ID_PART_RDN_CN}, - {OID_SURNAME, ID_PART_RDN_S}, - {OID_SERIAL_NUMBER, ID_PART_RDN_SN}, + {OID_SURNAME, ID_PART_RDN_SN}, + {OID_SERIAL_NUMBER, ID_PART_RDN_SERIAL_NUMBER}, {OID_COUNTRY, ID_PART_RDN_C}, {OID_LOCALITY, ID_PART_RDN_L}, {OID_STATE_OR_PROVINCE, ID_PART_RDN_ST}, diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index e2be67bbf8..90d945d3fb 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -183,9 +183,9 @@ enum id_part_t { /** OrganizationUnit RDN of a DN */ ID_PART_RDN_OU, /** Surname RDN of a DN */ - ID_PART_RDN_S, - /** SerialNumber RDN of a DN */ ID_PART_RDN_SN, + /** SerialNumber RDN of a DN */ + ID_PART_RDN_SERIAL_NUMBER, /** StateOrProvince RDN of a DN */ ID_PART_RDN_ST, /** Title RDN of a DN */ diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 714afdbd7a..4847a2d455 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -460,7 +460,7 @@ mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs cp ${TEST_KEY} ${TEST}/hosts/carol/${IPSEC_DIR}/private cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs -# Generate another carol certificate with SN=002 +# Generate another carol certificate with serialNumber=002 TEST="${TEST_DIR}/ikev2/two-certs" TEST_KEY="${TEST}/hosts/carol/${IPSEC_DIR}/private/carolKey-002.pem" TEST_CERT="${TEST}/hosts/carol/${IPSEC_DIR}/certs/carolCert-002.pem" @@ -470,7 +470,7 @@ mkdir -p ${TEST}/hosts/carol/${IPSEC_DIR}/certs pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ - --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, SN=002, CN=${CN}" \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=Research, serialNumber=002, CN=${CN}" \ --outform pem > ${TEST_CERT} cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 41601102fc..f1b252c4bc 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -3,7 +3,7 @@ moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO -moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::using certificate.*OU=Research, serialNumber=002, CN=carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES