Re: [pyOpenSSL] Re : [pyopenssl-list] x509req Object set_subject

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 3 Jul 2008 15:53:46 +0300, BRACHET Maxime <mi...@gm...> wrote:
>Hi,
>
>If the Subject comport multiple CN the X509Name.CN return only the first.
>In the RFC 3820 part 3.4 : http://www.ietf.org/rfc/rfc3820.txt
>To generate a Proxy certificate I need to add a CN to the subject.
>MyProxy is a Proxy Credential Server : http://grid.ncsa.uiuc.edu/myproxy/
>
>I can add a new one in doing
>cert.get_subject().CN += '/CN=foo'
>
>but it is not really a proper way.
>
>Thanks for you response.
>Maxime.

Ah, thanks for explaining.  I haven't seen that RFC before.  I have a bit
of trouble following section 3.4.  My naive reading suggests that something
like this would be correct:

    subject = cert.get_subject()
    issuer = cacert.get_issuer()
    for k, v in issuer.get_components():
        setattr(subject, k, v)
    subject.CN = 'foo'

However, I'm not very confident that this is a correct interpretation (or
that it even makes any kind of sense).

You are right that the API for modifying X509Name objects in pyOpenSSL is
limited and missing certain functionality.  If it's necessary to add a new
API for appending a new component to an X509Name to support this, I'd be
happy to accept a patch for this (I may even be interested in working on
it myself once I have a better understanding of the requirements).    

Sorry I couldn't give a more definite answer.

Jean-Paul