From dirkx at webweaving.org Mon Jan 6 00:24:46 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Mon, 6 Jan 2020 00:24:46 +0100 Subject: [rs-dev] CsrSubjectRequest with a wildcard Message-ID: <9955277c-bd98-ae21-2a90-d3b2dfeaac8b@webweaving.org> Graham, With respect to: ??? # use subject from the certificate sign request unmodified ??? CsrSubjectRequest * 99 Two questions: -??? We only look at the form 'subject-XX' values; not at the DN that is in the CSR itself ? ??? Correct ? What was your thinking behind this ? -??? When using a wildcard - the default 'just take 1' is a bit funny; as you will often need to set -CN, -L, -C, etc. ??? Would it make sense to interpret it as '1' per RN type in that specific case; so just one CN, one L ? Below my not quite right attempt to explain what is going on (pname is needed rather than name->name as the latter is NULL in this case (perhaps we should set it to *?). Dw. Index: mod_csr.c =================================================================== --- mod_csr.c??? (revision 201) +++ mod_csr.c??? (working copy) @@ -572,8 +575,8 @@ ???????????????????????????? if (count <= 0) { ???????????????????????????????? log_message(r, APR_SUCCESS, ???????????????????????????????????????? apr_psprintf(r->pool, -??????????????????????????????????????????????? "Subject name '%s' cannot be inserted into certificate more than %d times.", -??????????????????????????????????????????????? name->name, name->limit)); +??????????????????????????????????????????????? "Subject name '%s' cannot be inserted into certificate more than %d times%s.", +??????????????????????????????????????????????? pname, name->limit, (name->nid) ? "" : " (across all wildcard matches)")); From dirkx at webweaving.org Wed Jan 8 12:03:47 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Wed, 8 Jan 2020 12:03:47 +0100 Subject: [rs-dev] Redwax went into NixOS Message-ID: <02A7D112-2B2D-48C0-A267-E185363E0E11@webweaving.org> Some progress: https://github.com/NixOS/nixpkgs/commit/e9d3a3c7d8036bd71bbf33e3ff1b0d0cac32816a Merge pull request #76417 from dirkx/redwax-modules: mod_ca, mod_crl, mod_csr, mod_ocsp, mod_scep, mod_pkcs12, mod_spkac, mod_timestamp: init at 0.2.1. So with the BSD work and Grahams linux packages for Ubuntu, Fedora & working OSX we're well on track there. So I guess we can do several things in parallel now - Prod & wait for the openssl fixes to go through. - and then do upstream fixes. - Add to nixos a bunch of test cases (like https://github.com/NixOS/nixpkgs/compare/master...aanderse:redwax#diff-e030b1277ef566d85a9078c6c6b473bb) for the other modules. I have all of those now as scripts (except for SCEP). Thanks, Dw From dirkx at webweaving.org Fri Jan 10 06:20:16 2020 From: dirkx at webweaving.org (Dirk-Willem van Gulik) Date: Fri, 10 Jan 2020 06:20:16 +0100 Subject: [rs-dev] IANA enterprise number Message-ID: Graham, IANA reacted swiftly. We now have an enterprise prefix for the RedWax project: 1.3.6.1.4.1.55101 I'll use: 1.3.6.1.4.1.55101.9999 as an `internal' number to put into the various places were we need demo OIDs (e.g. for the Time Stamp policy). As I found that Adobe reacts funny on 1.2.3.4. Dw