LDAP String Representation of Distinguished Names

CryptoSys PKI Pro Manual

LDAP String Representation of Distinguished Names

Use the PKI_X509_LDAP option with functions X509_CertIssuerName, X509_CertSubjectName and X509_QueryCert (with queries "issuerName" and "subjectName") to obtain the LDAP string representation of the distinguished name as per [RFC4514].

The LDAP string representation lists the RDN attributeName=attributeValue pairs separated by a comma (',' U+002C). These are output in 'reverse order', i.e. starting with the last element of the sequence and moving backwards toward the first. The attribute values are converted to UTF-8 encoding with special and unprintable characters escaped with a backslash ('\' U+005C). Unprintable characters are output in the form "\xx" where "xx" is the hexadecimal value of the byte. Special characters that are escaped by a backslash are any of the 7 characters ["+,;<=>], a leading space character, a leading '#' character, a trailing space character, or the backslash character itself.

The default behaviour is to display only printable ASCII characters and escape all others. You can add the PKI_X509_UTF8 flag to output all multibyte UTF-8 characters in their encoded byte form. Alternatively you can add the PKI_X509_LATIN1 flag to convert any UTF-8 characters than can be encoded as a single byte in Latin-1 (ISO-8859-1) - this is strictly not to the LDAP specification (which requires UTF-8 encoding), but you may find it useful for display purposes: you can always save in UTF-8 encoding later.

The only RDN attributeType name strings output by the PKI_X509_LDAP option are the nine descriptions required by [RFC4514], namely

CN (commonName, 2.5.4.3)
L (localityName, 2.5.4.7)
ST (stateOrProvinceName, 2.5.4.8)
O (organizationName, 2.5.4.10)
OU (organizationalUnitName, 2.5.4.11)
C (countryName, 2.5.4.6)
STREET (streetAddress, 2.5.4.9)
DC (domainComponent, 0.9.2342.19200300.100.1.25)
UID (userID, 0.9.2342.19200300.100.1.1).

Any other attributeType will be displayed in dotted OID form, e.g. the emailAddress attribute type normally represented by E will be output as 1.2.840.113549.1.9.1.

This LDAP string feature is intended to be used to create an <X509IssuerName> element or <X509SubjectName> element within a Signature/KeyInfo/X509Data element in an XML-DSIG document.

Note that you cannot use this representation to specify a distinguished name when using X509_MakeCert. You must use the form described in Distinguished Names. The LDAP form is just for display.

[Contents] [Index]

[PREV: Specifying an arbitrary RDN in a distinguished name...] [Contents] [Index]

[NEXT: X.509 Extensions Parameter...]