Hi
all,
I have come across a
certificate that chokes our software which uses OpenSSL. I haven't dug
very deep yet, but was hoping that someone could tell me about any ordering
rules for the DN's.
openssl asn1parse on
the cert produces the dump below which has the order of issuer DN
components in the reverse order (CN->C) of what I am used to seeing
(C->CN). Is this a legal certificate? My understanding is that
the order is fixed by one of the X.400/X.500 standards. Apparently IE and
Netscape can quite happily import and export the P12 file that this cert came
from. If this encoding is illegal, is it considered best practice to be
able to handle it?
Regards,
Steven
0:d=0 hl=4 l= 705 cons:
SEQUENCE
4:d=1 hl=4 l= 554 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :02
16:d=2 hl=2 l= 13 cons: SEQUENCE
18:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
29:d=3 hl=2 l= 0 prim: NULL
31:d=2 hl=3 l= 159 cons: SEQUENCE
34:d=3 hl=2 l= 29 cons: SET
36:d=4 hl=2 l= 27 cons: SEQUENCE
38:d=5 hl=2 l= 3 prim: OBJECT :commonName
43:d=5 hl=2 l= 20 prim: PRINTABLESTRING :SpongeBob SquareCert
65:d=3 hl=2 l= 37 cons: SET
67:d=4 hl=2 l= 35 cons: SEQUENCE
69:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
74:d=5 hl=2 l= 28 prim: PRINTABLESTRING :Sponge Certificate Authority
104:d=3 hl=2 l= 34 cons: SET
106:d=4 hl=2 l= 32 cons: SEQUENCE
108:d=5 hl=2 l= 3 prim: OBJECT :organizationName
113:d=5 hl=2 l= 25 prim: PRINTABLESTRING :Sponge People Corporation
140:d=3 hl=2 l= 20 cons: SET
142:d=4 hl=2 l= 18 cons: SEQUENCE
144:d=5 hl=2 l= 3 prim: OBJECT :localityName
149:d=5 hl=2 l= 11 prim: PRINTABLESTRING :UnderTheSea
162:d=3 hl=2 l= 16 cons: SET
164:d=4 hl=2 l= 14 cons: SEQUENCE
166:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
171:d=5 hl=2 l= 7 prim: PRINTABLESTRING :Florida
180:d=3 hl=2 l= 11 cons: SET
182:d=4 hl=2 l= 9 cons: SEQUENCE
184:d=5 hl=2 l= 3 prim: OBJECT :countryName
189:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
193:d=2 hl=2 l= 30 cons: SEQUENCE
195:d=3 hl=2 l= 13 prim: UTCTIME :031031145544Z
210:d=3 hl=2 l= 13 prim: UTCTIME :041031145544Z
225:d=2 hl=2 l= 35 cons: SEQUENCE
227:d=3 hl=2 l= 33 cons: SET
229:d=4 hl=2 l= 31 cons: SEQUENCE
231:d=5 hl=2 l= 3 prim: OBJECT :commonName
236:d=5 hl=2 l= 24 prim: PRINTABLESTRING :john paxon is in control
262:d=2 hl=3 l= 159 cons: SEQUENCE
265:d=3 hl=2 l= 13 cons: SEQUENCE
267:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
278:d=4 hl=2 l= 0 prim: NULL
280:d=3 hl=3 l= 141 prim: BIT STRING
424:d=2 hl=3 l= 135 cons: cont [ 3 ]
427:d=3 hl=3 l= 132 cons: SEQUENCE
430:d=4 hl=2 l= 66 cons: SEQUENCE
432:d=5 hl=2 l= 9 prim: OBJECT :Netscape Comment
443:d=5 hl=2 l= 53 prim: OCTET STRING
498:d=4 hl=2 l= 31 cons: SEQUENCE
500:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
505:d=5 hl=2 l= 24 prim: OCTET STRING
531:d=4 hl=2 l= 29 cons: SEQUENCE
533:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
538:d=5 hl=2 l= 22 prim: OCTET STRING
562:d=1 hl=2 l= 13 cons: SEQUENCE
564:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
575:d=2 hl=2 l= 0 prim: NULL
577:d=1 hl=3 l= 129 prim: BIT STRING
4:d=1 hl=4 l= 554 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :02
16:d=2 hl=2 l= 13 cons: SEQUENCE
18:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
29:d=3 hl=2 l= 0 prim: NULL
31:d=2 hl=3 l= 159 cons: SEQUENCE
34:d=3 hl=2 l= 29 cons: SET
36:d=4 hl=2 l= 27 cons: SEQUENCE
38:d=5 hl=2 l= 3 prim: OBJECT :commonName
43:d=5 hl=2 l= 20 prim: PRINTABLESTRING :SpongeBob SquareCert
65:d=3 hl=2 l= 37 cons: SET
67:d=4 hl=2 l= 35 cons: SEQUENCE
69:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
74:d=5 hl=2 l= 28 prim: PRINTABLESTRING :Sponge Certificate Authority
104:d=3 hl=2 l= 34 cons: SET
106:d=4 hl=2 l= 32 cons: SEQUENCE
108:d=5 hl=2 l= 3 prim: OBJECT :organizationName
113:d=5 hl=2 l= 25 prim: PRINTABLESTRING :Sponge People Corporation
140:d=3 hl=2 l= 20 cons: SET
142:d=4 hl=2 l= 18 cons: SEQUENCE
144:d=5 hl=2 l= 3 prim: OBJECT :localityName
149:d=5 hl=2 l= 11 prim: PRINTABLESTRING :UnderTheSea
162:d=3 hl=2 l= 16 cons: SET
164:d=4 hl=2 l= 14 cons: SEQUENCE
166:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
171:d=5 hl=2 l= 7 prim: PRINTABLESTRING :Florida
180:d=3 hl=2 l= 11 cons: SET
182:d=4 hl=2 l= 9 cons: SEQUENCE
184:d=5 hl=2 l= 3 prim: OBJECT :countryName
189:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
193:d=2 hl=2 l= 30 cons: SEQUENCE
195:d=3 hl=2 l= 13 prim: UTCTIME :031031145544Z
210:d=3 hl=2 l= 13 prim: UTCTIME :041031145544Z
225:d=2 hl=2 l= 35 cons: SEQUENCE
227:d=3 hl=2 l= 33 cons: SET
229:d=4 hl=2 l= 31 cons: SEQUENCE
231:d=5 hl=2 l= 3 prim: OBJECT :commonName
236:d=5 hl=2 l= 24 prim: PRINTABLESTRING :john paxon is in control
262:d=2 hl=3 l= 159 cons: SEQUENCE
265:d=3 hl=2 l= 13 cons: SEQUENCE
267:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
278:d=4 hl=2 l= 0 prim: NULL
280:d=3 hl=3 l= 141 prim: BIT STRING
424:d=2 hl=3 l= 135 cons: cont [ 3 ]
427:d=3 hl=3 l= 132 cons: SEQUENCE
430:d=4 hl=2 l= 66 cons: SEQUENCE
432:d=5 hl=2 l= 9 prim: OBJECT :Netscape Comment
443:d=5 hl=2 l= 53 prim: OCTET STRING
498:d=4 hl=2 l= 31 cons: SEQUENCE
500:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
505:d=5 hl=2 l= 24 prim: OCTET STRING
531:d=4 hl=2 l= 29 cons: SEQUENCE
533:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
538:d=5 hl=2 l= 22 prim: OCTET STRING
562:d=1 hl=2 l= 13 cons: SEQUENCE
564:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
575:d=2 hl=2 l= 0 prim: NULL
577:d=1 hl=3 l= 129 prim: BIT STRING