From 703126f027b62b382379d276cd1cf8b174aa5d23 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 17 May 1999 20:05:36 +0000 Subject: [PATCH] Various clarifications to extension docs: change the name of literal extensions from RAW to DER to avoid confusion with raw extensions. Update NEWS file. --- NEWS | 8 +++++--- crypto/x509v3/v3_conf.c | 2 +- doc/openssl.txt | 32 +++++++++++++++++++------------- 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/NEWS b/NEWS index 5369b7061a..5f7ac6933b 100644 --- a/NEWS +++ b/NEWS @@ -8,12 +8,14 @@ Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3: o Lots of enhancements and cleanups to the Configuration mechanism o RSA OEAP related fixes - o Support for PKCS#5 v2.0 ASN1 PBES2 structures o Added `openssl ca -revoke' option for revoking a certificate o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs o Source tree cleanups: removed lots of obsolete files - o Support for Thawte SXNet extensions - o Full integration of PKCS#12 support + o Thawte SXNet, certificate policies and CRL distribution points + extension support + o Preliminary (experimental) S/MIME support + o Support for ASN.1 UTF8String and VisibleString + o Full integration of PKCS#12 code o Sparc assembler bignum implementation, optimized hash functions Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b: diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c index 91cc7ebfaa..aca8ff1f08 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509v3/v3_conf.c @@ -212,7 +212,7 @@ static int v3_check_critical(char **value) static int v3_check_generic(char **value) { char *p = *value; - if((strlen(p) < 4) || strncmp(p, "RAW:,", 4)) return 0; + if((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0; p+=4; while(isspace((unsigned char)*p)) p++; *value = p; diff --git a/doc/openssl.txt b/doc/openssl.txt index 527bd9722d..6acc126865 100644 --- a/doc/openssl.txt +++ b/doc/openssl.txt @@ -104,7 +104,7 @@ extensions. In this case a line with: extensions = extension_section -in the nameless (default) section is used. If no such line is include then +in the nameless (default) section is used. If no such line is included then it uses the default section. You can also add extensions to CRLs: a line @@ -141,11 +141,11 @@ reject it as invalid. Some broken software will reject certificates which have *any* critical extensions (these violates PKIX but we have to live with it). -There are three main types of extension, string extensions, multi valued +There are three main types of extension: string extensions, multi valued extensions, and raw extensions. -String extensions simply have a string which defines the value of the or how -it is obtained. +String extensions simply have a string which contains either the value itself +or how it is obtained. For example: @@ -182,19 +182,25 @@ email.2=steve@there This is because the configuration file code cannot handle the same name occurring twice in the same extension. -Raw extensions allow arbitrary data to be placed in an extension. For -example +The syntax of raw extensions is governed by the extension code: it can +for example contain data in multiple sections. The correct syntax to +use is defined by the extension code itself: check out the certificate +policies extension for an example. -1.2.3.4=critical,RAW:01:02:03:04 -1.2.3.4=RAW:01020304 +In addition it is also possible to use the word DER to include arbitrary +data in any extension. -The value following RAW is a hex dump of the extension contents. Any extension -can be placed in this form to override the default behaviour. For example: +1.2.3.4=critical,DER:01:02:03:04 +1.2.3.4=DER:01020304 -basicConstraints=critical,RAW:00:01:02:03 +The value following DER is a hex dump of the DER encoding of the extension +Any extension can be placed in this form to override the default behaviour. +For example: + +basicConstraints=critical,DER:00:01:02:03 -WARNING: raw extensions should be used with caution. It is possible to create -totally invalid extensions unless care is taken. +WARNING: DER should be used with caution. It is possible to create totally +invalid extensions unless care is taken. CURRENTLY SUPPORTED EXTENSIONS. -- 2.25.1