[openssl-users] Escaped Issuer/Subject

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Apr 12 13:18:01 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of c.holper at ades.at
> Sent: Wednesday, April 12, 2017 00:47
> I thought about escaping regarding DN itself (LDAP DN).

It's an X.400 DN. LDAP is a protocol and an API; there's no necessary relationship between X.509 certificates and LDAP.

More importantly, escaping is an aspect of interpretation, not source. If you need an X.400 DN escaped in, say, an LDAP context such as a value in a search filter, that's a requirement of LDAP, and the transformation is determined by LDAP. It is not a property of the "DN itself". Escaping a DN for a particular context is no different from escaping any other string for that context.

Your conceptual model is wrong, and that is a Bad Thing, particularly with escaping. Having the wrong conceptual model when escaping data leads to difficult-to-find errors and security vulnerabilities.

Rich has mentioned -nameopt and its implementing code, which may serve as a guide. But they're unlikely to precisely meet your requirements, whatever they actually are.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list