Re: Are there DName encoding samples? from Tom Gindin on 2002-03-09 (w3c-ietf-xmldsig@w3.org from January to March 2002)

From: Tom Gindin <tgindin@us.ibm.com>
Date: Sat, 9 Mar 2002 08:00:45 -0500
To: "Harada" <harada@prs.cs.fujitsu.co.jp>
Cc: <w3c-ietf-xmldsig@w3.org>
Message-ID: <OF810BCF86.1D7C2184-ON85256B77.0046BAEB@pok.ibm.com>

      I am a little confused by the procedure here.  You're not supposed to
escape anything in creating the certificate, just in creating the X509Data
fields.  If you do that, the fact that running this transform multiple
times in the same direction produces different results than running it once
should not hurt you.
      My impression was that the transform defined in the spec defined what
should happen when you convert the certificate's DER (or BER) encoding of a
Distinguished Name to XML.  You may need to code a reverse transform into
either DER or RFC 2253 format to reach the format other API's want.  In
particular, that reverse transform will need to get rid of entity
definitions like &gt.  The problems this leaves seem to be restricted to
quote framing - the different results for ST and L (obviously determined by
the trailing space), and the bizarre result for CN, are things which an
implementation would need to avoid.
      The work you are doing seems quite valuable.  Good luck!

            Tom Gindin

"Harada" <harada@prs.cs.fujitsu.co.jp>@w3.org on 03/09/2002 12:40:21 AM

Sent by:    w3c-ietf-xmldsig-request@w3.org


To:    <w3c-ietf-xmldsig@w3.org>
cc:
Subject:    Re: Are there DName encoding samples?


Hi,

 This is an report of DName encoding implementation.

 I tried implementing the encoding, and find something and report it.
For Java and MS Crypto, DNames seem to be encoded.

 For an example of Java, the DName got by the API is
<X509SubjectName>CN=HARADA\"KAZUYUKI \", OU="#Project,A+XML;&lt;Kiban&gt;",
O="FUJITSU\\limited;", L="YOKOAMA
SI", ST=KANAGAWA KEN, C=JP</X509SubjectName>
(I succeeded containing letters #x11, #x1C, #x0A by keytool.)

 Similar DName in another key store,
(I cannot creat a csr containing the letters #x11,.. for it, so I replaced
the letters to spaces.)
<X509SubjectName>CN=HARADA\"KAZUYUKI \", OU="#Project,A+XML;&lt;Kiban&gt;",
O="FUJITSU\\limited;", L="YOKO AMA  SI", ST="KANAGAWA KEN ", C=JP,
EMAILADDRESS=harada@prs.cs.fujitsu.co.jp</X509SubjectName>

 And exporting this certificate to pfx file and importing to MS Crypto,
I get a XML Signature of
<X509SubjectName>E=harada@prs.cs.fujitsu.co.jp, C=JP, S="KANAGAWA KEN ",
L=YOKO AMA  SI, O="FUJITSU\limited;", OU="#Project,A+XML;&lt;Kiban&gt;",
CN="HARADA""KAZUYUKI """</X509SubjectName>

 Now I am thinking my signature processor SHOULD NOT escaping the letters :
",", "+", """, "\", "<", ">", ";", or beggining "#".
(It is escaped in obedience to MS or Java API.)
And my processor SHOULD escape characters of Unicode range \x00 - \x1f.

----- Original Message -----
From: "Harada" <harada@prs.cs.fujitsu.co.jp>
To: "Tom Gindin" <tgindin@us.ibm.com>
Cc: <w3c-ietf-xmldsig@w3.org>
Sent: Tuesday, March 05, 2002 10:04 PM
Subject: Re: Are there DName encoding samples?


> Gindin-san
>
>  Thank you very much.
>  I was led into wrong way missing a simple example.
> I know little RFC 2253, and my processor produces as:
> <X509IssuerName>CN=J. Random Nerd\,  O=Dewey\, Cheatham\, \+ Howe\,
>               L=Nowhere\, ST=AK\, C=US</X509IssuerName>
>  It's my misunderstanding.

Received on Saturday, 9 March 2002 08:50:40 UTC