-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subject comparing #14
Comments
I am afraid I do not understand the problem properly. So if the program complains about differing subjects but continues anyway you should be fine. |
May be it is OpenSsl issue when executed X509_NAME_cmp(). I need to find matches in certificate subject: |
I understand you actually WANT to match the cert subject against the csr subject? I don't know why this would be useful (in fact it can cause a lot of trouble, which is why the original check was removed from the sscep code). Your problem is very likely caused by a nasty side effect of the OpenSSL X509_NAME_cmp() function: even if the string representation of a subject looks exactly the same, the corresponding DER representation does not necessarily have to match. For example, I had the problem that the request contained a BMPString with the requested subject. The CA then returned a certificate with the exact same subject, but encoded as IA5String (or vice versa). The OpenSSL compare function considers the string as different even if their ASCII representation is identical. |
Ok, I understood. Best solution it is to disable subject comparison. I'm right? |
In my opinion and from my experience designing and developing PKI solutions (OpenXPKI and CertNanny) I think it is best to disable it - it does hurt more than help. |
I have a problem and I need your advice.
I create CSR with CN=Test User, and after enroll I get receive certificate with subject like: (/C=US/ST=Qwerty/L=Asdfg/O=Test organization/CN=Test User)
And when sscep compared subjects I have a false:
X509_NAME_cmp() workaround: strcmp request subject (/CN=Test User) to cert subject (/C=US/ST=Qwerty/L=Asdfg/O=Test organization/CN=Test User)
How I can check if certificate subject contain request subject?
The text was updated successfully, but these errors were encountered: