On Mon, Nov 17, 2003, Steven Reddie wrote: > > I have come across a certificate that chokes our software which uses > OpenSSL. I haven't dug very deep yet, but was hoping that someone could > tell me about any ordering rules for the DN's. > > openssl asn1parse on the cert produces the dump below which has the order of > issuer DN components in the reverse order (CN->C) of what I am used to > seeing (C->CN). Is this a legal certificate? My understanding is that the > order is fixed by one of the X.400/X.500 standards. Apparently IE and > Netscape can quite happily import and export the P12 file that this cert > came from. If this encoding is illegal, is it considered best practice to > be able to handle it? >
The standards don't specify any specific ordering with single valued RDNs. In ASN1 terms they are a SEQUENCE: the rules for encoding of a SEQUENCE are that the order of the components is kept. The actual components withing a multi valued RDN are a SET which is considered unordered however though use of multi valued RDNs is rare. If it chokes your software then perhaps it is expecting a certain order or expecting certain components to be present? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
