I've noticed that Windows will display an x.509 certificate subject as S=some-state rather than ST=some-state as is described by x.520: https://www.rfc-editor.org/rfc/rfc1779 (Table 1).
For example:
$> (Get-AuthenticodeSignature -FilePath C:\Windows\System32\cmd.exe).SignerCertificate.Subject
CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
I have also parsed the same certificate programatically and have received ST=Washington as the output, so the underlying DER is clearly correct and the problem is in the representation.
Does anyone know why MS does this? Is it allowed by a part of the standard I have missed? I'd like to know just out of curiosity. Thanks in advance.
Microsoft implementation of X.500 names supports standardized names. In addition, Microsoft implementation supports aliases. That is, particular object identifier may have multiple mappings to friendly name. For example, StateOrProvince RDN is mapped to three friendly names:
2.5.4.8 -- State Or Province (S)
pwszName = S
CRYPT_RDN_ATTR_OID_GROUP_ID (5)
dwLength = 0
2.5.4.8 -- State Or Province (S)
pwszName = ST
CRYPT_RDN_ATTR_OID_GROUP_ID (5)
dwLength = 0
2.5.4.8 -- State Or Province (S)
pwszName = State Or Province
CRYPT_EXT_OR_ATTR_OID_GROUP_ID (6)
dwValue = 0
So, OID=2.5.4.8 can be mapped to either, S, ST or State Or Province. And it works in opposite direction: all aliases will be translated to same OID value.
Default translation from OID to friendly name depends on OID group (when requested) and registration order (priority). In a given case, S alias has higher priority, than ST.