I am attempting to generate a self-signed cert with a SubjectAltName of type DirName. Other types of SubjectAltName like DNS work just fine, but DirName will not work. The code to reproduce fairly simple (python 3.8.5)
import string
from OpenSSL import crypto
def _create_csr():
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, 2048)
csr = crypto.X509Req()
csr.set_pubkey(key)
works = "DNS:abc.xyz"
fails = "dirName:MyGeneratedCert"
csr.add_extensions([crypto.X509Extension(b"subjectAltName", False, fails.encode("ascii"))])
csr.sign(key, "sha256")
if __name__=="__main__":
_create_csr()
The exception I am receiving is as the following
Traceback (most recent call last):
File "tests/createcert.py", line 16, in <module>
_create_csr()
File "tests/createcert.py", line 12, in _create_csr
csr.add_extensions([crypto.X509Extension(b"subjectAltName", False, fails.encode("ascii"))])
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 779, in __init__
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('X509 V3 routines', 'X509V3_get_section', 'operation not defined'), ('X509 V3 routines', 'do_dirname', 'section not found'), ('X509 V3 routines', 'a2i_GENERAL_NAME', 'dirname error'), ('X509 V3 routines', 'X509V3_EXT_nconf', 'error in extension')]
The call is making it into OpenSSL's do_dirname function (stack trace). I assume that the value is not being passed in in correct way, but I cannot understand how to pass it as desired.
Any help would be appreciated.
from How to generate self-signed cert using subjectAltName with dirName using OpenSSL?
No comments:
Post a Comment