On 09/11/2011 12:12 AM, Erwann ABALEA wrote:
Hodie IV Id. Sep. MMXI, Maarten Billemont via RT scripsit:
According to rfc1779, the key STREET in the subject name should be capitalized.
obj_dat.h specifies it as a lower-cased "street".
This is incorrect and breaks when OpenSSL is used to parse in rfc1779-compliant
distinguished names generated by external parties.
The solution is to upper-case it to "STREET", just like "C", "CN", etc.
The "street" attribute type (OID 2.5.3.9) is not defined by RFC1779.
This RFC doesn't state that those tokens are case sensitive (you could
even use "cn" instead of "CN").
This RFC is defective at least in one aspect: the following names are
not considered equal:
CN=James Bond, O=MI6, C=UK
CN=James \ Bond, O=MI6, C=UK
CN=\ \ jAmeS bonD, O=MI6, C=UK
these examples are equal, following X.520 rules.
Hm,
OID 2.5.3.9 is id-at-streetAddress*OBJECT IDENTIFIER* ::= {id-at
<http://www.itu.int/ITU-T/formal-language/itu-t/x/x501/2008/UsefulDefinitions.html#UsefulDefinitions.id-at>
9}
streetAddressATTRIBUTE
<http://www.itu.int/ITU-T/formal-language/itu-t/x/x501/2008/InformationFramework.html#InformationFramework.ATTRIBUTE>
::= {
WITH SYNTAXUnboundedDirectoryString
<http://www.itu.int/ITU-T/formal-language/itu-t/x/x520/2008/SelectedAttributeTypes.html#SelectedAttributeTypes.UnboundedDirectoryString>
EQUALITY MATCHING RULEcaseIgnoreMatch
<http://www.itu.int/ITU-T/formal-language/itu-t/x/x520/2008/SelectedAttributeTypes.html#SelectedAttributeTypes.caseIgnoreMatch>
SUBSTRINGS MATCHING RULEcaseIgnoreSubstringsMatch
<http://www.itu.int/ITU-T/formal-language/itu-t/x/x520/2008/SelectedAttributeTypes.html#SelectedAttributeTypes.caseIgnoreSubstringsMatch>
IDid-at-streetAddress
<http://www.itu.int/ITU-T/formal-language/itu-t/x/x520/2008/SelectedAttributeTypes.html#SelectedAttributeTypes.id-at-streetAddress>
}
In 1779
CN CommonName
L LocalityName
ST StateOrProvinceName
O OrganizationName
OU OrganizationalUnitName
C CountryName
STREET StreetAddress
rfc 4514 has
CN commonName (2.5.4.3)
L localityName (2.5.4.7)
ST stateOrProvinceName (2.5.4.8)
O organizationName (2.5.4.10)
OU organizationalUnitName (2.5.4.11)
C countryName (2.5.4.6)
STREET streetAddress (2.5.4.9)
DC domainComponent (0.9.2342.19200300.100.1.25)
UID userId (0.9.2342.19200300.100.1.1)
in objects.txt
X509 3 : CN : commonName
X509 6 : C : countryName
X509 7 : L : localityName
X509 8 : ST : stateOrProvinceName
X509 9 : street : streetAddress
X509 10 : O : organizationName
X509 11 : OU : organizationalUnitName
IMO should be STREET
(but existing req etc config files should become broken)
the rfc doesn't treat equality or matching.
the rfc describes a textual representation of an encoded name.
not any kind of canonical or distinguished form.
btw your examples seem wrong to me, a space cannot escaped by \
as far as I understand rfc 1779
<string> ::= *(<stringchar> |<pair> )
| '"' *(<stringchar> |<special> |<pair> ) '"'
| "#"<hex>
<special> ::= "," | "=" |<CR> | "+" | "<" |">"
| "#" | ";"
<pair> ::= "\" (<special> | "\" | '"')
<stringchar> ::= any character except<special> or "\" or '"'
rfc 4514 has ' ', '"', '#', '+', ',', ';', '<', '=','>', or '\'
The textual representations
CN=" jAmes bonD"
CN="James Bond"
designate different encodings that match, i.e.
only one could be in a directory.
have fun
Peter Sylvester
