Hi,
I had a list of CA certificates, a few with different encoding than
PRINTABLE encoding like T61 and UTF8. I am running into the problem of
not able to verify some of the certificates issued by CA certificates in
cert store despite the fact that they do exist in the store.
Deep analysis of the code revealed that the problem is with sorting and
searching. The sorted list is not correct and hence the binary search
fails. The root cause of the problem turned out to be the function -
X509_NAME_cmp. It appears that it doesn't implement the comparisons as
specified in RFC5280 which refers to RFC4518 for rules to do comparison
for Internationalized Names in Distinguished Names. To quote from
RFC4518 -
The lack of precise specification for character string
matching has
led to significant interoperability problems. When used in
certificate chain validation, security vulnerabilities can
arise. To
address these problems, this document defines precise
algorithms for
preparing character strings for matching.
Is there a plan to implement RFC4518 for comparison rules? Or are they
being implemented currently?
Is their a workaround to support a list of CA certificates with mixed
encoding in the meantime?
Thanks,
-Dharmendra
