Re: [openssl-users] Escaped Issuer/Subject

2017-04-12 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of c.hol...@ades.at
> Sent: Wednesday, April 12, 2017 00:47
> 
> I thought about escaping regarding DN itself (LDAP DN).

It's an X.400 DN. LDAP is a protocol and an API; there's no necessary 
relationship between X.509 certificates and LDAP.

More importantly, escaping is an aspect of interpretation, not source. If you 
need an X.400 DN escaped in, say, an LDAP context such as a value in a search 
filter, that's a requirement of LDAP, and the transformation is determined by 
LDAP. It is not a property of the "DN itself". Escaping a DN for a particular 
context is no different from escaping any other string for that context.

Your conceptual model is wrong, and that is a Bad Thing, particularly with 
escaping. Having the wrong conceptual model when escaping data leads to 
difficult-to-find errors and security vulnerabilities.

Rich has mentioned -nameopt and its implementing code, which may serve as a 
guide. But they're unlikely to precisely meet your requirements, whatever they 
actually are.

Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Escaped Issuer/Subject

2017-04-12 Thread Salz, Rich via openssl-users 
> I thought about escaping regarding DN itself (LDAP DN).

Look up the -nameopt flag in, say, x509.pod  Then if you need C code, trace 
through what apps/x509.c does.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Escaped Issuer/Subject

2017-04-12 Thread c.hol...@ades.at 

I thought about escaping regarding DN itself (LDAP DN).

https://www.ietf.org/rfc/rfc4514.txt

https://www.ibm.com/support/knowledgecenter/en/ssw_i5_54/rzahy/rzahyunderdn.htm

https://msdn.microsoft.com/en-us/library/aa366101%28v=vs.85%29.aspx

Best regards
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Escaped Issuer/Subject

2017-04-11 Thread Wouter Verhelst 
On 11-04-17 10:56, c.hol...@ades.at wrote:
> Hi!
> 
> Is it possible to get the distinguished name of issuer or subject in a
> escaped form out of the box?

Escaped for what? XML? SQL? HTML? Shell scripts? Maybe something else?

"Escaped form" isn't something that exists as a generic term. If you
want a string escaped, you're going to have to use some string escape
function of whatever it is you're trying to escape for; e.g., the
database or XML library you're using (you *are* using a library to
generate a structured format, are you?). Otherwise you're going down the
PHP "addslashes" pitfall, which won't help you nor anyone else.

Regards,

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Escaped Issuer/Subject

2017-04-11 Thread c.hol...@ades.at 

Hi!

Is it possible to get the distinguished name of issuer or subject in a 
escaped form out of the box?


e.g.
C=US, O=test, Inc., OU=department=1, CN=tester "
C=US, O=test\, Inc., OU=department\=1, CN=tester \"

cheers,
chris


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users