Lutz Jaenicke wrote: > > On Fri, Apr 26, 2002 at 12:38:05PM +0200, Robert Joop wrote: > > `x509 -noout -text` prints inconsistent output. > > > > ...> openssl x509 -noout -text -in old.pem | grep Issuer: > > Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES > > ...> openssl x509 -noout -text -in new.pem | grep Issuer: > > Issuer: C=ES, O=Universidad de Cordoba, CN=AC [EMAIL PROTECTED] > > > > see the "/" that magically appears, instead of a ", "? > > if found the place that does this magic and commented it out: > > > > ...> openssl x509 -noout -text -in old.pem | grep Issuer: > > Issuer: [EMAIL PROTECTED], CN=CA UCO, O=Universidad de Cordoba, C=ES > > ...> openssl x509 -noout -text -in new.pem | grep Issuer: > > Issuer: C=ES, O=Universidad de Cordoba, CN=AC UCO, [EMAIL PROTECTED] > > > > it does it because the type "emailAddress" starts lower case! > > Your analysis is technically correct. If the object name is starting with > an uppercase letter, the "/" is replaced with the ", ", otherwise it is > not. > However: the section you are essentially removing (by commenting out) > may be there for a reason. I have not used this functionality myself, > so I don't know why this distinction is made. Therefore I am reluctant > to touch it. Steve, could you kindly have a look into this? >
By default the code ultimately uses the old X509_NAME_print function to display DNs. This results in the weirdness mentioned and all manner of odd output if the DN contains things like BMPStrings. X509_NAME_print is only retained for compatibility. Changing it might do odd things if anyone parses or hashes its output for some reason: that isn't advisable but something might. If appropriate flags are passed to the X509_print_ex function then much more sensible output is produced using the X509_NAME_print_ex function. The -nameopt option can be used for this (see manual page): -nameopt oneline is a good place to start. I'd say that X509_NAME_print shouldn't be touched because new code should call X509_NAME_print_ex() However a new FAQ entry might be in order or possibly changing the default display options so that the old behaviour is no longer the default and adding a "-nameopt old" option is explicitly needed instead. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
