92e332501a
The Chromium certificate verifier ends up encoding a SET OF when canonicalizing X.509 names. Requiring the caller canonicalize a SET OF is complicated enough that we should probably sort it for folks. (We really need to get this name canonicalization insanity out of X.509...) This would remove the extra level of indirection in Chromium net/cert/internal/verify_name_match.cc CBB usage. Note this is not quite the same order as SET, but SET is kind of useless. Since it's encoding heterogeneous values, it is reasonable to require the caller just encode them in the correct order. In fact, a DER SET is just SEQUENCE with a post-processing step on the definition to fix the ordering of the fields. (Unless the SET contains an untagged CHOICE, in which case the ordering is weird, but SETs are not really used in the real world, much less SETs with untagged CHOICEs.) Bug: 11 Change-Id: I51e7938a81529243e7514360f867330359ae4f2c Reviewed-on: https://boringssl-review.googlesource.com/24444 Reviewed-by: Adam Langley <agl@google.com> |
||
---|---|---|
.. | ||
openssl |