search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

Distinguished Names (DNs) should match regardless of order of RDNs #190

Closed DDvO closed 3 years ago

DDvO commented 5 years ago

Due to an implicit limitation of the OpenSSL function X509_NAME_cmp used in particular for matching the expected and actual sender name of a CMP response, DNs do not match if their components are not in the same order, yielding an error like

12928:error:350A80A7:CMP routines:CMP_validate_msg:unexpected sender:crypto\cmp\cmp_vfy.c:644:
expected = /CN=server/C=DE
  actual = /C=DE/CN=server

A workaround is to explicitly set the expected sender name like this:

expect_sender = "/C=DE/CN=server"

As a real solution we may ask OpenSSL to generalize their function or generalize it ourselves.

DDvO commented 3 years ago

Meanwhile I've learned via https://github.com/openssl/openssl/issues/12765 that the order of RDNs actually does matter. Just within - very rarely used - multi-valued RDNs the order of values is not relevant. So closing this as invalid (not a bug).