[xmlsec] x509vfy.c:xmlSecOpenSSLX509NamesCompare()

Roumen Petrov xmlsec at roumenpetrov.info
Thu Jul 3 23:40:18 PDT 2003


Aleksey Sanin wrote:

>
>> In general to compare values in two X509 names we should do more 
>> tasks, but at moment this is enough.
>
>
> Can you give more details about this, please?

1.1) About PrintableString:
=================================================
This specification requires only a subset of the name comparison
   functionality specified in the X.500 series of specifications.  The
   requirements for conforming implementations are as follows:




Housley, et. al.            Standards Track                    [Page 20]

RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


      (a) attribute values encoded in different types (e.g.,
      PrintableString and BMPString) may be assumed to represent
      different strings;

      (b) attribute values in types other than PrintableString are case
      sensitive (this permits matching of attribute values as binary
      objects);

      (c) attribute values in PrintableString are not case sensitive
      (e.g., "Marianne Swanson" is the same as "MARIANNE SWANSON"); and

      (d) attribute values in PrintableString are compared after
      removing leading and trailing white space and converting internal
      substrings of one or more consecutive white space characters to a
      single space.
=================================================
1.2) About IA5String:
   In addition, legacy implementations exist where an RFC 822 name is
   embedded in the subject distinguished name as an EmailAddress
   attribute.  The attribute value for EmailAddress is of type IA5String
   to permit inclusion of the character '@', which is not part of the
   PrintableString character set.  EmailAddress attribute values are not
   case sensitive (e.g., "fanfeedback at redsox.com" is the same as
   "FANFEEDBACK at REDSOX.COM").
=================================================

2.) discussion about generalization of X509_NAME_cmp in openssl 
maillist(bugs?) (I cannot remember URL[s]). X509_NAME_cmp generalization 
is posponed for OpenSSL 0.9.8 release.

>
>
>> Could you add "const" to suppress warnings:
>
Might because I use always CFLAGS="-O2 -Wall" to build all packages ?

>
> No warnings for me... but I added 'const' word as you've suggested.
>
> Aleksey






More information about the xmlsec mailing list