Hi,
I have troubles verifying a PKCS#7 signedMessage because the order of
the
DN attributes in the signerInfo is different from the order in the
certificate.
i. e.
The cert contains: C=DE/O=Org/CN=Alice
The signer info has: CN=Alice/O=Org/C=DE
I found that the function
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
will only find the names matching if the attribute order is identical.
It wouldn't be a big deal to make X509_NAME_cmp() more tolerant,
but since appearantly nobody has had such a problem yet I'd like
to know if there is a specification somewhere that says something
like "Thou shalt not turn around the order of thy name attributes".
All I found was a statement, that SEQUENCE OF is ordered.
(distinguishedName is a SEQUENCE OF nameAttribute) But when I look
at an example Certificate I can't see by what it is being ordered here:
SEQUENCE
SET
SEQUENCE
OBJECT :countryName 2.5.4.6
PRINTABLESTRING :DE
SET
SEQUENCE
OBJECT :organizationName 2.5.4.10
PRINTABLESTRING :Company
SET
SEQUENCE
OBJECT :commonName 2.5.4.3
PRINTABLESTRING :Demo CA
Can anyone bring some light into the darkness?
Thanks
Robert
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
