QuickCert DN do not match

Discussion in 'Ruby' started by Guillaume Marcais, May 9, 2004.

  1. When I run QuickCert, with the configuration file given on the web
    site, I get:

    [gus@gusmac drbssl]$ QuickCert
    /usr/bin/QuickCert:234:in `sign_cert': DN does not match (RuntimeError)
    from /usr/bin/QuickCert:82:in `create_cert'
    from /usr/bin/QuickCert:352
    from /usr/bin/QuickCert:351:in `each'
    from /usr/bin/QuickCert:351

    The offending line does a comparison. I added display of the 2 compared
    values:

    csr.subject [["C", "US", 19], ["O", "local", 12], ["OU", "gusmac", 12]]
    @ca_config [["C", "US"], ["O", "local"], ["OU", "gusmac"]]


    They look awfully similar...
    Should the test be modified to succeed in this case?

    Guillaume.

    For reference:
    [gus@gusmac drbssl]$ cat qc_config
    full_hostname = `hostname`
    domainname = full_hostname.split('.')[1..-1].join('.')
    hostname = full_hostname.split('.')[0]

    CA[:hostname] = hostname
    CA[:domainname] = domainname
    CA[:CA_dir] = "CA"
    CA[:password] = '1234'

    CERTS << {
    :type => 'server',
    :hostname => 'localhost',
    :password => '5678',
    }

    CERTS << {
    :type => 'client',
    :user => 'username',
    :email => '',
    }
    [gus@gusmac drbssl]$ ruby -v
    ruby 1.8.1 (2004-04-27) [powerpc-darwin]
     
    Guillaume Marcais, May 9, 2004
    #1
    1. Advertising

  2. Hi,

    First of all, cheers for QuickCert and Eric. I wish I could introduce
    PKI, an authentication infrastructure to Ruby world easily.

    Guillaume Marcais wrote:
    > The offending line does a comparison. I added display of the 2 compared
    > values:
    >
    > csr.subject [["C", "US", 19], ["O", "local", 12], ["OU", "gusmac", 12]]
    > @ca_config [["C", "US"], ["O", "local"], ["OU", "gusmac"]]
    >
    >
    > They look awfully similar...
    > Should the test be modified to succeed in this case?


    Yes. But I recommend that you set @ca_config same as the name array of
    csr.subject, i.e. give 19 and 12s. 19 and 12 means PRINTABLESTRING and
    UTF8STRING of ASN.1 respectively. Comparing different type of String is
    still unclear in PKI world so it might cause a problem in the future.

    If you use the cert pair only for your SSL connection and don't have a
    plan to use it for another purpose, i.e. no interoperability needed with
    other PKI software, just ignore the following.

    For maximum interoperability, use PRINTABLESTRING for all DN component
    if you can. There are many PKI softwares that cannot handle UTF8String
    in the world...

    @ca_config [["C", "US", OpenSSL::ASN1::pRINTABLESTRING], ...] might work
    though I haven't check QuickCert inside yet. You must also modify
    gen_csr.rb in Ruby's distribution (does QuickCert directly includes
    it?). Line

    name = X509::Name.parse(name_str)

    must be

    name = X509::Name.new([["C", "US", OpenSSL::ASN1::pRINTABLESTRING], ...])

    as the same.

    Regards,
    // NaHi
     
    NAKAMURA, Hiroshi, May 10, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hiwa
    Replies:
    0
    Views:
    639
  2. Victor
    Replies:
    2
    Views:
    649
    Victor
    May 17, 2004
  3. ekzept
    Replies:
    0
    Views:
    373
    ekzept
    Aug 10, 2007
  4. John Gordon
    Replies:
    13
    Views:
    490
    Ian Kelly
    Dec 20, 2011
  5. Volkan Civelek

    Match doesn't match

    Volkan Civelek, Jul 19, 2006, in forum: Ruby
    Replies:
    4
    Views:
    168
Loading...

Share This Page