Repost, it seems my contributions to openssl-* are redirected to /dev/null...
-- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 ----- moi je veux bien lire les FAQ, mais c'est pareil, je sait pas ou elle sont... Ne faudrait il pas faire une FAQ qui dit ou sont les FAQs ? -+- M.D. in Guide du Neuneu Usenet : Oû sont les FAAAAQ -+- ---------- Forwarded message ---------- Date: Tue, 1 Jun 2004 11:14:22 +0200 (CEST) From: Erwann Abalea <[EMAIL PROTECTED]> To: OpenSSL Users Mailing List <[EMAIL PROTECTED]> Subject: OpenSSL can't store and generate some valid DN Hi, I was looking at the RFC3739 for Qualified Certificates and the changes with the RFC3039, and noticed (among other things) that the example certificate changed. This one has something tricky that OpenSSL can properly decode but not store nor output. It's about the fact that an RDN can have a multiple number of AttributeTypeAndValue (according to the RFC3280 terminology). Take as an example the certificate found in RFC3739: -----BEGIN CERTIFICATE----- MIIDEDCCAnmgAwIBAgIESZYC0jANBgkqhkiG9w0BAQUFADBIMQswCQYDVQQGEwJE RTE5MDcGA1UECgwwR01EIC0gRm9yc2NodW5nc3plbnRydW0gSW5mb3JtYXRpb25z dGVjaG5payBHbWJIMB4XDTA0MDIwMTEwMDAwMFoXDTA4MDIwMTEwMDAwMFowZTEL MAkGA1UEBhMCREUxNzA1BgNVBAoMLkdNRCBGb3JzY2h1bmdzemVudHJ1bSBJbmZv cm1hdGlvbnN0ZWNobmlrIEdtYkgxHTAMBgNVBCoMBVBldHJhMA0GA1UEBAwGQmFy emluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDc50zVodVa6wHPXswg88P8 p4fPy1caIaqKIK1d/wFRMN5yTl7T+VOS57sWxKcdDzGzqZJqjwjqAP3DqPK7AW3s o7lBG6JZmiqMtlXG3+olv+3cc7WU+qDv5ZXGEqauW4x/DKGc7E/nq2BUZ2hLsjh9 Xy9+vbw+8KYE9rQEARdpJQIDAQABo4HpMIHmMGQGA1UdCQRdMFswEAYIKwYBBQUH CQQxBBMCREUwDwYIKwYBBQUHCQMxAxMBRjAdBggrBgEFBQcJATERGA8xOTcxMTAx NDEyMDAwMFowFwYIKwYBBQUHCQIxCwwJRGFybXN0YWR0MA4GA1UdDwEB/wQEAwIG QDASBgNVHSAECzAJMAcGBSskCAEBMB8GA1UdIwQYMBaAFAABAgMEBQYHCAkKCwwN Dg/+3LqYMDkGCCsGAQUFBwEDBC0wKzApBggrBgEFBQcLAjAdMBuBGW11bmljaXBh bGl0eUBkYXJtc3RhZHQuZGUwDQYJKoZIhvcNAQEFBQADgYEAj4yAu7LYa3X04h+C 7+DyD2xViJCm5zEYg1m5x4znHJIMZsYAU/vJJIJQkPKVsIgm6vP/H1kXyAu0g2Ep z+VWPnhZK1uw+ay1KRXw8rw2mR8hQ2Ug6QZHYdky2HH3H/69rWSPp888G8CW8RLU uIKzn+GhapCuGoC4qWdlGLWqfpc= -----END CERTIFICATE----- The subject of this certificat has 3 RDN, and the last one has 2 "AttributeTypeAndValue" fields. When OpenSSL reads this certificate, it stores the subject as a sequence of 4 RDN, each one having only one AttributeTypeAndValue field. When you store it back, the certificate has changed, of course, and that is Bad (tm). I have yet to understand what such RDN could be useful for (I guess I'll have to dig into strange parts of X.501 and X.520, and I'm sure I'll loose several mental health points in the process), but since these constructions are valid ones (and according to the ASN.1 definition of a DistinguishedName, they are), OpenSSL should be able to correctly represent them in memory. I suspect this correction will have some impact on the code... :( Bon courage. -- Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
