On 02-04-29 10:33:10 CEST, Michael Bell wrote:
> I found a small problem with -nameopt RFC2253:
>
> The X509v3 Authority Key Identifier doesn't use -nameopt for DirName. Is
> this DN stored as a string?
it depends on what you mean by string.
it is stored as an OCTET STRING that contains an ASN.1 structure with
a SEQUENCE with a DN:
a certificate parsed with asn1parse:
[...]
512:d=4 hl=3 l= 199 cons: SEQUENCE
515:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
520:d=5 hl=3 l= 191 prim: OCTET STRING
[...]
same cert, asn1parse -strparse 520:
0:d=0 hl=3 l= 188 cons: SEQUENCE
3:d=1 hl=2 l= 20 prim: cont [ 0 ]
25:d=1 hl=3 l= 160 cons: cont [ 1 ]
28:d=2 hl=3 l= 157 cons: cont [ 4 ]
31:d=3 hl=3 l= 154 cons: SEQUENCE
34:d=4 hl=2 l= 11 cons: SET
36:d=5 hl=2 l= 9 cons: SEQUENCE
38:d=6 hl=2 l= 3 prim: OBJECT :countryName
43:d=6 hl=2 l= 2 prim: PRINTABLESTRING :DE
47:d=4 hl=2 l= 15 cons: SET
49:d=5 hl=2 l= 13 cons: SEQUENCE
51:d=6 hl=2 l= 3 prim: OBJECT :localityName
56:d=6 hl=2 l= 6 prim: PRINTABLESTRING :Berlin
[and so on...]
(and i guess this explains why it would make sense to pass the nameopt
flags into the extension code like steve wrote.)
rj
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
