xmlsec at roumenpetrov.info
Thu Jul 3 23:40:18 PDT 2003
Aleksey Sanin wrote:
>> In general to compare values in two X509 names we should do more
>> tasks, but at moment this is enough.
> Can you give more details about this, please?
1.1) About PrintableString:
This specification requires only a subset of the name comparison
functionality specified in the X.500 series of specifications. The
requirements for conforming implementations are as follows:
Housley, et. al. Standards Track [Page 20]
RFC 2459 Internet X.509 Public Key Infrastructure January 1999
(a) attribute values encoded in different types (e.g.,
PrintableString and BMPString) may be assumed to represent
(b) attribute values in types other than PrintableString are case
sensitive (this permits matching of attribute values as binary
(c) attribute values in PrintableString are not case sensitive
(e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and
(d) attribute values in PrintableString are compared after
removing leading and trailing white space and converting internal
substrings of one or more consecutive white space characters to a
1.2) About IA5String:
In addition, legacy implementations exist where an RFC 822 name is
embedded in the subject distinguished name as an EmailAddress
attribute. The attribute value for EmailAddress is of type IA5String
to permit inclusion of the character '@', which is not part of the
PrintableString character set. EmailAddress attribute values are not
case sensitive (e.g., "fanfeedback at redsox.com" is the same as
"FANFEEDBACK at REDSOX.COM").
2.) discussion about generalization of X509_NAME_cmp in openssl
maillist(bugs?) (I cannot remember URL[s]). X509_NAME_cmp generalization
is posponed for OpenSSL 0.9.8 release.
>> Could you add "const" to suppress warnings:
Might because I use always CFLAGS="-O2 -Wall" to build all packages ?
> No warnings for me... but I added 'const' word as you've suggested.
More information about the xmlsec