diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-05-18 16:32:55 -0400 |
|---|---|---|
| committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-05-28 14:06:48 -0400 |
| commit | f2b207b3aebe298d99810235d97cb120853b051f (patch) | |
| tree | 9c3a972b106452f34d61a21554385bda5a634c8d /src | |
| parent | d2c249054f9abc17352c7a8807de2d7ed847c212 (diff) | |
| download | gnutls-f2b207b3aebe298d99810235d97cb120853b051f.tar.gz | |
certtool: order DN components by scale.
DN components are expected to be ordered by scale, with the wire format
representing larger-scale components (like country or organization) before
smaller-scale components (like state or organizationalUnit).
The bulk of the changes here of course are changes to the target
certificates in the test suite.
Note that a change was necessary in tests/cert-tests/crq.sh because it
tests the "interactive" mode of certtool. If any user is scripting
certtool in this way, this change will cause a backwards-incompatible
break. However, I think this is OK -- the supported scripted/batch
mode for certtool should use a template file, and I don't think it's
important to maintain a strict api on the interactive mode.
The main change here is to order the DN from least-specific-to-most,
in particular:
country, state, locality, org, orgunit, cn, uid
But I've also made an additional arbitrary choice, which is that DC
(domain component) comes *after* uid. This was already the case in
certificate generation, but in *request* generation, it was the other
way around. I've changed request generation to match this ordering
from certificate generation.
Closes: #1243
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Diffstat (limited to 'src')
| -rw-r--r-- | src/certtool.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/src/certtool.c b/src/certtool.c index 3c81155a92..1e0814a51f 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -363,13 +363,13 @@ generate_certificate(gnutls_privkey_t * ret_key, } else { get_dn_crt_set(crt); + get_country_crt_set(crt); + get_state_crt_set(crt); + get_locality_crt_set(crt); + get_organization_crt_set(crt); + get_unit_crt_set(crt); get_cn_crt_set(crt); get_uid_crt_set(crt); - get_unit_crt_set(crt); - get_organization_crt_set(crt); - get_locality_crt_set(crt); - get_state_crt_set(crt); - get_country_crt_set(crt); get_dc_set(TYPE_CRT, crt); get_oid_crt_set(crt); @@ -1923,15 +1923,15 @@ void generate_request(common_info_st * cinfo) */ get_dn_crq_set(crq); - get_cn_crq_set(crq); - get_unit_crq_set(crq); - get_organization_crq_set(crq); - get_locality_crq_set(crq); - get_state_crq_set(crq); get_country_crq_set(crq); + get_state_crq_set(crq); + get_locality_crq_set(crq); + get_organization_crq_set(crq); + get_unit_crq_set(crq); + get_cn_crq_set(crq); - get_dc_set(TYPE_CRQ, crq); get_uid_crq_set(crq); + get_dc_set(TYPE_CRQ, crq); get_oid_crq_set(crq); get_dns_name_set(TYPE_CRQ, crq); |