multivalue RDNs don't display correctly in Requests

Sat, 07 Jun 2008 16:39:32 -0700 

Tested with 0.9.6g thru 0.9.8h:
>>>>
mandolin:/home/software/openssl-0.9.8h/apps> ./openssl req -new -newkey rsa:1024 -out foo.req -nodes -multivalue-rdn -subj "/C=US/ST=CA/L=Los Angeles/CN=foo+SN=bar" 
Generating a 1024 bit RSA private key
...++++++
................++++++
writing new private key to 'privkey.pem'
-----
mandolin:/home/software/openssl-0.9.8h/apps> ./openssl req -in foo.req -text
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=CA, L=Los Angeles, CN=foo, SN=bar
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
<<<<
The Subject: display should show "CN=foo+SN=bar" since both AVAs are part of the same RDN. 


I thought the request itself was being generated incorrectly, but examining 
the request in DER form showed that it's fine:


reqdec < foo.der
dn: cn=foo+sn=bar,l=Los Angeles,st=CA,c=US

>>>>reqdec.c
#include <stdio.h>
#include <ldap.h>

char buf[4096];

/* Print the DN of a certificate request */

main(int argc, char *argv[])
{
        struct berval bv, derdn, dn;
        BerElement *ber;
        ber_tag_t tag;
        ber_len_t len;
        ber_int_t val;

        bv.bv_val = buf;
        bv.bv_len = fread(buf, 1, sizeof(buf), stdin);

        ber = ber_init( &bv );

        tag = ber_skip_tag( ber, &len );        /* Sequence */
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
        tag = ber_skip_tag( ber, &len );        /* Sequence */
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
        tag = ber_peek_tag( ber, &len );        /* certReqId */
        if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
        tag = ber_get_int( ber, &val );
        tag = ber_peek_tag( ber, &len );        /* DN: Sequence */
        if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;

        derdn.bv_val = bv.bv_val + ber_ptrlen( ber );
        derdn.bv_len = len + 2;
        ldap_X509dn2bv( &derdn, &dn, NULL, 0 );
        printf("dn: %s\n", dn.bv_val );

}
<<<<
(The above tested with OpenLDAP 2.4 libraries...)
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to