search

nasa / HDTN

High-rate Delay Tolerant Network (HDTN) Software
https://www1.grc.nasa.gov/space/scan/acs/tech-studies/dtn/
Other
95 stars 24 forks source link

RFC 9174 certificate profile SAN #1

Closed BrianSipos closed 2 years ago

BrianSipos commented 2 years ago

The certificate profile in RFC 9174 changed from the earlier -26 draft in that the Subject Alternative Name changed from a URI to an otherName with ID 1.3.6.1.5.5.7.8.11 (id-on-bundleEID).

To generate CSR/certificate with this other name form using OpenSSL the syntax changes from subjectAltName = URI:ipn:10.0 to subjectAltName = otherName:1.3.6.1.5.5.7.8.11;IA5:ipn:10.0. The encoded form is still an IA5String. On the verifying side, the entity needs to match the otherName type and specific id-on-bundleEID OID, then extract the IA5String value and compare with the expected URI.

briantomko commented 2 years ago

@BrianSipos thanks for your help on this. This issue should now be resolved with merge of branch '70-tcpclv4-draft-to-rfc-updates'. Just fyi, for now we support both the new rfc authentication method and the old draft authentication method. The old draft authentication method prints out a warning to the user to update the certificates/keys.