QuickCert DN do not match

[Guillaume Marcais]

When I run QuickCert, with the configuration file given on the web
site, I get:

[gus@gusmac drbssl]$ QuickCert
/usr/bin/QuickCert:234:in `sign_cert': DN does not match (RuntimeError)
from /usr/bin/QuickCert:82:in `create_cert'
from /usr/bin/QuickCert:352
from /usr/bin/QuickCert:351:in `each'
from /usr/bin/QuickCert:351

The offending line does a comparison. I added display of the 2 compared
values:

csr.subject [["C", "US", 19], ["O", "local", 12], ["OU", "gusmac", 12]]
@ca_config [["C", "US"], ["O", "local"], ["OU", "gusmac"]]


They look awfully similar...
Should the test be modified to succeed in this case?

Guillaume.

For reference:
[gus@gusmac drbssl]$ cat qc_config
full_hostname = `hostname`
domainname = full_hostname.split('.')[1..-1].join('.')
hostname = full_hostname.split('.')[0]

CA[:hostname] = hostname
CA[:domainname] = domainname
CA[:CA_dir] = "CA"
CA[assword] = '1234'

CERTS << {
:type => 'server',
:hostname => 'localhost',
assword => '5678',
}

CERTS << {
:type => 'client',
:user => 'username',
:email => '(e-mail address removed)',
}
[gus@gusmac drbssl]$ ruby -v
ruby 1.8.1 (2004-04-27) [powerpc-darwin]

 

[NAKAMURA, Hiroshi]

Hi,

First of all, cheers for QuickCert and Eric. I wish I could introduce
PKI, an authentication infrastructure to Ruby world easily.

The offending line does a comparison. I added display of the 2 compared
values:

csr.subject [["C", "US", 19], ["O", "local", 12], ["OU", "gusmac", 12]]
@ca_config [["C", "US"], ["O", "local"], ["OU", "gusmac"]]


They look awfully similar...
Should the test be modified to succeed in this case?

Yes. But I recommend that you set @ca_config same as the name array of
csr.subject, i.e. give 19 and 12s. 19 and 12 means PRINTABLESTRING and
UTF8STRING of ASN.1 respectively. Comparing different type of String is
still unclear in PKI world so it might cause a problem in the future.

If you use the cert pair only for your SSL connection and don't have a
plan to use it for another purpose, i.e. no interoperability needed with
other PKI software, just ignore the following.

For maximum interoperability, use PRINTABLESTRING for all DN component
if you can. There are many PKI softwares that cannot handle UTF8String
in the world...

@ca_config [["C", "US", OpenSSL::ASN1:RINTABLESTRING], ...] might work
though I haven't check QuickCert inside yet. You must also modify
gen_csr.rb in Ruby's distribution (does QuickCert directly includes
it?). Line

name = X509::Name.parse(name_str)

must be

name = X509::Name.new([["C", "US", OpenSSL::ASN1:RINTABLESTRING], ...])

as the same.

Regards,
// NaHi