No response from openssl-users, hence trying the dev alias.
I have a X509_NAME variable which contains something like
I want to modify this into
i.e. I want to change the OU from "myou" to "yourou"
Extracting the different RDNs (CN, OU & O) and recreating a new X509_NAME using
X509_NAME_add_entry with loc as -1 works fine.
However, if I try to modify the existing X509_NAME by deleting the CN
from it & then
inserting the modified CN in between the exiting CN & O gives me problems.
This is what I tried.
- Get the index of the OU - it was 1.
- Now called X509_NAME_delete_entry with index 1 - worked fine.
- Next called X509_NAME_add_entry_by_txt with "yourou" & "OU" & loc as 1.
- This did insert the modified CN, but it made the OU & O as a
multivalued RDN instead
of making the OU as a separate RDN.
i.e. my X509_NAME becomes /CN=my/OU=yourou+O=myo
instead of /CN=my/OU=yourou/O=myo
I debugged through the add_entry code & it boiled down to the handling of the
"set" field in the X509_NAME_ENTRY structure.
This is the structure.
typedef struct X509_name_entry_st
int size; /* temp variable */
Can someone help me understand the set member in this structure.
When you delete a NAME_ENTRY & insert another on that point, the function
X509_NAME_add_entry doesn't seem to adjust the "set" member
of the X509_NAME_ENTRY structure like the way I think it should.
Hence the insertion causes the OU we are inserting to be
treated as a part of the previous field (CN) - i.e. it becomes
a multi-valued RDN, rather than a new RDN in the NAME.
This happens because the "set" field of all NAME_ENTRIES
beyond the insertion point doesn't get incremented - not sure
if this is a bug in the function or I am misunderstanding something.
I feel this is how the "set" member should be adjusted I think.
if(loc == -1 or loc == <current size>)
<don't increment "set" field of any other node>
<increment "set field" of all nodes beyond insertion point>.
I am referring to the X509_NAME_add_entry function sources in x509name.c
Can someone tell if this is a bug or am I misunderstanding how this is supposed
OpenSSL Project [url]http://www.openssl.org[/url]
Development Mailing List [email]email@example.com[/email]
Automated List Manager [email]firstname.lastname@example.org[/email]