Howard Chu wrote:
Thor Lancelot Simon wrote:
Can I assume that any data returned when I access the DN of a peer's
certificate using OpenSSL are ASCII or UTF8? If not, how do I tell
the difference?
I think I understand that DNs not encoded as UTF8String should not
have high-bit characters in them -- so if I do this:
X509_NAME_oneline(X509_get_subject_name(peer), buf, BUFSIZ), suffix)
I should be able to tell any application using the data that the
character set for the data is UTF8, or, if I don't find any Unicode
sequences in it, ASCII. Is that right? I don't see a way to find
out what ASN.1 type X509_get_subject_name actually fetched the data
from...
Keep in mind the definition of a DN:
/* A DN is a SEQUENCE of RDNs. An RDN is a SET of AVAs.
* An AVA is a SEQUENCE of attr and value.
*/
Each component of the DN can use a different encoding. It's important not to
fall into the trap that so many people do, and think of a DN as an intrinsic
property of an object. It is simply a pathname, like a filesystem pathname.
Only the most-inferior RDN actually "belongs" to the object, just like the
actual filename of a file (i.e., its relative path, not the absolute path).
Nor is it a single contiguous data item, it is a complex sequence of
independent items that must be treated individually. Within a DN and AVA,
order is significant. Within an RDN, order is *not* significant; this fact has
major implications on how you compare DNs to each other...
X509_NAME_oneline is too coarse for getting this info; if you actually need to
know then you should use the other APIs:
You can see the full working example of this code in this older code from
OpenLDAP 2.3:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/getdn.c.diff?r1=1.136&r2=1.137&hideattic=1&sortbydate=0&f=h
As a footnote, we've been using the above code with no trouble for several
years. I deleted it when we added GnuTLS support, and replaced it with a
generic function that only uses libldap/liblber rather than having to maintain
multiple versions of this function for each TLS library. You can see the
generic function at the bottom of tls2.c here:
http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/?hideattic=1&sortbydate=0
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
