The OpenSSL-based common name extraction code in current revision (2965)
of the BETA21 branch is still incorrect in the cases where the extracted
field is the first one in the DN:
extract_x509_field_ssl:
int lastpos = -1;
int tmp = -1;
...
do {
lastpos = tmp;
tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos);
} while (tmp > 0);
When there is only one common name field in the DN and it is the first
field, the first call of X509_NAME_get_index_by_NID will return the
index 0, at which point the loop will terminate, leaving -1 in lastpos
and causing the extract_x509_field_ssl function to fail. Changing the
test to "tmp > -1" fixes the bug, since X509_NAME_get_index_by_NID will
return -1 if the field is not found.
(This sort of situation happens with cacert.org client certificates,
where the subject name is of the form
"/CN=Real Name/emailAddress=em...@example.org".)
--
Heikki Kallasjoki
