One certificate can have more than one entry from type 'Organizational Unit'.
Please find attached file "xmlsec1-20030207.patch.gz". This file contain patch against CVS (20030702). Source code is taken from my implementaion of "X.509 certificates support in OpenSSH". Some tests are commented.
After build of patched version go in <builddir>/src/openssl and run "make x509vfytest && ./x509vfytest". Results follow:
==========================================
[SNIP]
xmlSecOpenSSLX509NamesCompare(): sorting a1 entries ...
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
xmlSecOpenSSLX509NamesCompare(): sorting b1 entries ...
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
xmlSecOpenSSLX509NamesCompare(): a1(buf)=/OU=test_certificate1/OU=test_certificate2/OU=test_certificate3
xmlSecOpenSSLX509NamesCompare(): b1(buf)=/OU=test_certificate1/OU=test_certificate3/OU=test_certificate2
test A4.1: return 1
xmlSecOpenSSLX509NamesCompare(): sorting a1 entries ...
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
xmlSecOpenSSLX509NamesCompare(): sorting b1 entries ...
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
xmlSecOpenSSLX509NamesCompare(): a1(buf)=/OU=test_certificate1/OU=test_certificate2/OU=test_certificate3
xmlSecOpenSSLX509NamesCompare(): b1(buf)=/OU=test_certificate2/OU=test_certificate1/OU=test_certificate2
test A4.2: return 1
xmlSecOpenSSLX509NamesCompare(): sorting a1 entries ...
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
xmlSecOpenSSLX509NamesCompare(): sorting b1 entries ...
ne(a)=organizationName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=-1
ne(a)=organizationalUnitName
ne(b)=organizationName
OBJ_cmp(a,b)=1
ne(a)=organizationalUnitName
ne(b)=organizationalUnitName
OBJ_cmp(a,b)=0
xmlSecOpenSSLX509NamesCompare(): a1(buf)=/OU=test_certificate1/OU=test_certificate2/OU=test_certificate3
xmlSecOpenSSLX509NamesCompare(): b1(buf)=/O=test_certificate2/OU=test_certificate2/OU=test_certificate3
test A4.3: return -1
==========================================
test A4.1 must return 0, other test are correct.
I'm not familiar with xmlsec source enough to fix problem. Might OBJ_cmp is not enough ?
I think that we shoult compare data too.
I have different implementation to compare two X509_NAMES.
Aleksey Sanin wrote:
Well, I am not sure that this is a valid syntax. Anyway, this function uses OpenSSL function "OBJ_cmp". You can look at the code and find this out.
Aleksey
P.S. Subscribing to mailing list would be a good idea if you want to have your messages actualy delivered to the list and not trashed.
xmlsec1-20030207.patch.gz
Description: application/gzip
