Robert Eiglmaier wrote:
Hi,
I have troubles verifying a PKCS#7 signedMessage because the order of
the
DN attributes in the signerInfo is different from the order in the
certificate.
i. e.
The cert contains: C=DE/O=Org/CN=Alice
The signer info has: CN=Alice/O=Org/C=DE
I found that the function
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
will only find the names matching if the attribute order is identical.
It wouldn't be a big deal to make X509_NAME_cmp() more tolerant,
but since appearantly nobody has had such a problem yet I'd like
to know if there is a specification somewhere that says something
like "Thou shalt not turn around the order of thy name attributes".
PKIX1 profile for X.509 certificates, as well as X.680 for ASN.1 SEQUENCE.
All I found was a statement, that SEQUENCE OF is ordered.
(distinguishedName is a SEQUENCE OF nameAttribute) But when I look
at an example Certificate I can't see by what it is being ordered here:
SEQUENCE
^^^^^^^^^^
this is a "SEQUENCE OF", not "SEQUENCE"
SET
SEQUENCE
OBJECT :countryName 2.5.4.6
PRINTABLESTRING :DE
SET
SEQUENCE
OBJECT :organizationName 2.5.4.10
PRINTABLESTRING :Company
SET
SEQUENCE
OBJECT :commonName 2.5.4.3
PRINTABLESTRING :Demo CA
Can anyone bring some light into the darkness?
They are ordered sequence of unordered SET's of each element.
The order inside "SET OF" is not important, but there is exactly
one element in each SET OF.
However, the order inside "SEQUENCE OF" is important. And
the order is the order of display, i.e. DE/Company/Demo CA.
--
Lev Walkin
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
