The CertDN class is used in the new user operation to obtain the Subject
DN when only the CN has been provided, or when an existing certificate
is used. This Subject DN is printed as the result of the
nimbus-new-user call, and is also added to the gridmap and the
A problem appeared when a CN was containing an equal sign, such as
Bob Oblaw_97/Emailemail@example.com. The existing CertDN code would
escape this equal sign and produce Bob Oblaw_97/Email\=firstname.lastname@example.org.
The escaped string would be used for the gridmap and group-authz files.
However, Globus does not use escaped strings internally, and would fail
to match the DN of a service request against these files.
Another bug appears for certificates with emailAddress fields, such as
CN=Bob Oblaw_97/emailAddressemail@example.com. In this case, Globus will
recognize it as CN=Bob Oblaw_97/Efirstname.lastname@example.org, and fail to find the
DN in gridmap and group-authz.
Changing the CertDN code to be closer to existing Globus code, namely
org.globus.tools.CertInfo, creates Subject DN strings that Globus can