This is a discussion on Re: x509_name_cmp for different encodings - Openssl ; On Wed, 2008-08-13 at 17:03 -0700, Mohan, Dharmendra wrote: > Hi, > > > > I had a list of CA certificates, a few with different encoding > than PRINTABLE encoding like T61 and UTF8. I am running into the ...
On Wed, 2008-08-13 at 17:03 -0700, Mohan, Dharmendra wrote:
> I had a list of CA certificates, a few with different encoding
> than PRINTABLE encoding like T61 and UTF8. I am running into the
> problem of not able to verify some of the certificates issued by CA
> certificates in cert store despite the fact that they do exist in the
> Deep analysis of the code revealed that the problem is with sorting and searching. The sorted list is not correct and hence the binary search fails. The root cause of the problem turned out to be the function – X509_NAME_cmp. It appears that it doesn’t implement the comparisons as specified in RFC5280 which refers to RFC4518 for rules to do comparison for Internationalized Names in Distinguished Names. To quote from RFC4518 –
> The lack of precise specification for character string matching has
> led to significant interoperability problems. When used in
> certificate chain validation, security vulnerabilities can arise. To
> address these problems, this document defines precise algorithms for
> preparing character strings for matching.
> Is there a plan to implement RFC4518 for comparison rules? Or are they being implemented currently?
> Is their a workaround to support a list of CA certificates with mixed encoding in the meantime?
We've ran into the same issues earlier. There are two open PR tracker
items, but apart from some hacky patches no real solution exists.
OpenSSL Project http://www.openssl.org
Development Mailing List firstname.lastname@example.org
Automated List Manager email@example.com