Oliver King wrote:
>
> Hi,
>
> We'd like to submit the following patch to OpenSSL, which allows you to
> specify the directoryName format for X509v3 extensions such as
> subjectAltName, crlDistributionPoints, etc. It parses RFC2253-style
> distinguished names, so you can specify something like the following in your
> oppenssl.cnf:
>
Thanks, a couple of issues.
RFC2253 species UTF8 for the field values so this needs to be reflected
in X509_NAME_add_entry_by_txt(). Also it doesn't seem to understand the
#XXXX form of DER dump.
Can you explain the comment:
+ /*
+ * Now reverse the order of the entries in the X509_NAME
structure,
so
+ * that the ordering agrees with X.501 (i.e. opposite to
RFC2253).
We
+ * can't construct the list of entries backwards in the first
place,
+ * because the logic in X509_NAME_add_entry() doesn't allow us
to
set up
+ * 'set' correctly for each entry.
+ */
which appears in the patch? If the X509_NAME_add_entry() logic is amiss
that can be fixed at some point.
There is however a nastier issue which has so far prevented me from
adding something like this myself. The CONF code itself handles certains
kinds of quoting and escaping. This effectively strips out certain
characters such as ", ' and \ . This totally messes up RFC2253 format
DNs and AFAICS can't be fixed without major surgery to the CONF library.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
