Hi, All! I have few questions/RFEs to OpenSSL developers about X509 and X509_NAME structures. I run into some problems when I've tried to use some low-level functions and I wonder is it worth to patch OpenSSL instead writing custom functions in my library. I am not absolutelly sure that all my points are valid so please correct me if I am wrong.
Thank you in advance, Aleksey Sanin. http://www.aleksey.com/xmlsec Questions List: ------------------------------------------------------------------------------------------------------ 1) Sorting of the X509_NAME_ENTRY elements in X509_NAME structure (for X509 subject and issuer fields). Right now OpenSSL reads the entries in the order they appear in the certificate (or in the order you are adding them if you are creating cert). I am not sure but I do not remember any order restrictions in the X509 rfc or DName RFC (http://www.ietf.org/rfc/rfc2253.txt). And this scares me in general because implementation relaying on the order is likely to have interop problems. The suggestion is to sort X509_NAME_ENTRY elements after reading or creating the cert or before using any "order depending" function (hashing, comparison, search, etc.) 2) X509_NAME_ENTRY_cmp function missed In order to do the sorting described above a new X509_NAME_ENTRY_cmp function is required. I think it should be implemented something like this: int X509_NAME_ENTRY_cmp(const X509_NAME_ENTRY **a, const X509_NAME_ENTRY **b) { return(OBJ_cmp((*a)->object, (*b)->object)); } 3) X509_NAME_cmp function compares "set" field of X509_NAME After doing sorting as described in 1) I run into another problem: the function X509_NAME_cmp compares "set" field of X509_NAME as follows (the interesting lines are marked ">>"): for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { na=sk_X509_NAME_ENTRY_value(a->entries,i); nb=sk_X509_NAME_ENTRY_value(b->entries,i); j=na->value->length-nb->value->length; if (j) return(j); j=memcmp(na->value->data,nb->value->data, na->value->length); if (j) return(j); >> j=na->set-nb->set; >> if (j) return(j); } AFAIK, the "set" field stores the X509_NAME_ENTRY position in the list. I am not sure that comparing positions in this way is a right thing here because we are *already* doing this by itterating thru all X509_NAME_ENTRY entires in the X509_NAME. And of course, this comparisson fails after sorting :) I suggest to remove these two lines marked with ">>". ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
