summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-09-02 13:50:04 +0200
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-09-10 12:07:33 +0200
commit5fdcde816f6ee9ef048977c14427e2b0b63f47b6 (patch)
tree902d56c6fc2004293bfa64777bebf3addd5b5d0a /doc
parentX509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued RDN... (diff)
downloadopenssl-5fdcde816f6ee9ef048977c14427e2b0b63f47b6.tar.xz
openssl-5fdcde816f6ee9ef048977c14427e2b0b63f47b6.zip
X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCs
Fixes #12765 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
Diffstat (limited to 'doc')
-rw-r--r--doc/man3/X509_cmp.pod18
1 files changed, 11 insertions, 7 deletions
diff --git a/doc/man3/X509_cmp.pod b/doc/man3/X509_cmp.pod
index a4e18dfb58..7460d901db 100644
--- a/doc/man3/X509_cmp.pod
+++ b/doc/man3/X509_cmp.pod
@@ -25,16 +25,20 @@ This set of functions are used to compare X509 objects, including X509
certificates, X509 CRL objects and various values in an X509 certificate.
The X509_cmp() function compares two B<X509> objects indicated by parameters
-B<a> and B<b>. The comparison is based on the B<memcmp> result of the hash
+I<a> and I<b>. The comparison is based on the B<memcmp> result of the hash
values of two B<X509> objects and the canonical (DER) encoding values.
The X509_NAME_cmp() function compares two B<X509_NAME> objects indicated by
-parameters B<a> and B<b>. The comparison is based on the B<memcmp> result of
-the canonical (DER) encoding values of the two objects. L<i2d_X509_NAME(3)>
-has a more detailed description of the DER encoding of the B<X509_NAME> structure.
+parameters I<a> and I<b>. The comparison is based on the B<memcmp> result of the
+canonical (DER) encoding values of the two objects using L<i2d_X509_NAME(3)>.
+This procedure adheres to the matching rules for Distinguished Names (DN)
+given in RFC 4517 section 4.2.15 and RFC 5280 section 7.1.
+In particular, the order of Relative Distinguished Names (RDNs) is relevant.
+On the other hand, if an RDN is multi-valued, i.e., it contains a set of
+AttributeValueAssertions (AVAs), its members are effectively not ordered.
The X509_issuer_and_serial_cmp() function compares the serial number and issuer
-values in the given B<X509> objects B<a> and B<b>.
+values in the given B<X509> objects I<a> and I<b>.
The X509_issuer_name_cmp(), X509_subject_name_cmp() and X509_CRL_cmp() functions
are effectively wrappers of the X509_NAME_cmp() function. These functions compare
@@ -47,8 +51,8 @@ of just the issuer name.
=head1 RETURN VALUES
-The B<X509> comparison functions return B<-1>, B<0>, or B<1> if object B<a> is
-found to be less than, to match, or be greater than object B<b>, respectively.
+The B<X509> comparison functions return B<-1>, B<0>, or B<1> if object I<a> is
+found to be less than, to match, or be greater than object I<b>, respectively.
X509_NAME_cmp(), X509_issuer_and_serial_cmp(), X509_issuer_name_cmp(),
X509_subject_name_cmp() and X509_CRL_cmp() may return B<-2> to indicate an error.