On Thu, Jun 03, 2004, Erwann Abalea wrote: > > Hi, > > I was looking at the RFC3739 for Qualified Certificates and the changes > with the RFC3039, and noticed (among other things) that the example > certificate changed. >
What makes you think it has changed? > > The subject of this certificat has 3 RDN, and the last one has 2 > "AttributeTypeAndValue" fields. > > When OpenSSL reads this certificate, it stores the subject as a sequence > of 4 RDN, each one having only one AttributeTypeAndValue field. When you > store it back, the certificate has changed, of course, and that is Bad > (tm). > Well OpenSSL seems to recognize that DN properly. If you include: -nameopt oneline for example in the 'x509' command line it will correctly display the last RDN. If you look at the internals of how this is stored it does at first sight appear to only store the lot in a single sequence. The structure used is an X509_NAME which includes a STACK_OF(X509_NAME_ENTRY) however each X509_NAME_ENTRY has a field called 'set' which indicates which set the AttributeTypeAndValue should be in. OpenSSL wont normally reencode DNs at all because it caches the original encoding. If the DN is modified in some way it will of course be reencoded though. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
