提交 703126f0 编写于 作者: D Dr. Stephen Henson

Various clarifications to extension docs: change the name of literal

extensions from RAW to DER to avoid confusion with raw extensions.

Update NEWS file.
上级 2cf9fcda
......@@ -8,12 +8,14 @@
Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
o Lots of enhancements and cleanups to the Configuration mechanism
o RSA OEAP related fixes
o Support for PKCS#5 v2.0 ASN1 PBES2 structures
o Added `openssl ca -revoke' option for revoking a certificate
o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs
o Source tree cleanups: removed lots of obsolete files
o Support for Thawte SXNet extensions
o Full integration of PKCS#12 support
o Thawte SXNet, certificate policies and CRL distribution points
extension support
o Preliminary (experimental) S/MIME support
o Support for ASN.1 UTF8String and VisibleString
o Full integration of PKCS#12 code
o Sparc assembler bignum implementation, optimized hash functions
Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
......
......@@ -212,7 +212,7 @@ static int v3_check_critical(char **value)
static int v3_check_generic(char **value)
{
char *p = *value;
if((strlen(p) < 4) || strncmp(p, "RAW:,", 4)) return 0;
if((strlen(p) < 4) || strncmp(p, "DER:,", 4)) return 0;
p+=4;
while(isspace((unsigned char)*p)) p++;
*value = p;
......
......@@ -104,7 +104,7 @@ extensions. In this case a line with:
extensions = extension_section
in the nameless (default) section is used. If no such line is include then
in the nameless (default) section is used. If no such line is included then
it uses the default section.
You can also add extensions to CRLs: a line
......@@ -141,11 +141,11 @@ reject it as invalid. Some broken software will reject certificates which
have *any* critical extensions (these violates PKIX but we have to live
with it).
There are three main types of extension, string extensions, multi valued
There are three main types of extension: string extensions, multi valued
extensions, and raw extensions.
String extensions simply have a string which defines the value of the or how
it is obtained.
String extensions simply have a string which contains either the value itself
or how it is obtained.
For example:
......@@ -182,19 +182,25 @@ email.2=steve@there
This is because the configuration file code cannot handle the same name
occurring twice in the same extension.
Raw extensions allow arbitrary data to be placed in an extension. For
example
The syntax of raw extensions is governed by the extension code: it can
for example contain data in multiple sections. The correct syntax to
use is defined by the extension code itself: check out the certificate
policies extension for an example.
1.2.3.4=critical,RAW:01:02:03:04
1.2.3.4=RAW:01020304
In addition it is also possible to use the word DER to include arbitrary
data in any extension.
The value following RAW is a hex dump of the extension contents. Any extension
can be placed in this form to override the default behaviour. For example:
1.2.3.4=critical,DER:01:02:03:04
1.2.3.4=DER:01020304
basicConstraints=critical,RAW:00:01:02:03
The value following DER is a hex dump of the DER encoding of the extension
Any extension can be placed in this form to override the default behaviour.
For example:
basicConstraints=critical,DER:00:01:02:03
WARNING: raw extensions should be used with caution. It is possible to create
totally invalid extensions unless care is taken.
WARNING: DER should be used with caution. It is possible to create totally
invalid extensions unless care is taken.
CURRENTLY SUPPORTED EXTENSIONS.
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册