Search code examples
x509asn.1ou

Multiple Organizational Units (OU) ASN.1 encoding differences


I have come across two different ways of encoding multiple OUs. One is to list the multiple OUs at the same level as other identifier, such as

SEQUENCE {
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER commonName (2 5 4 3)
       PrintableString 'tester'
       }
     }
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       UTF8String 'department1'
       }
     }
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       UTF8String 'org1'
       }
     }
}

Another is to embed the OUs as a list as follow

SEQUENCE {
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER commonName (2 5 4 3)
       PrintableString 'tester'
       }
     }
   SET {
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       PrintableString 'department1'
       }
     SEQUENCE {
       OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
       PrintableString 'org1'
       }
     }
}

And some tools would decode the 2nd encoding as 1 OU only, representing it as follow

organizationalUnitName    = department1 + organizationalUnitName    = org1

I am just wondering which way is the better, or more common way to encode multiple OUs.


Solution

  • In first encoding (SET nests only one SEQUENCE), RDN attributes are printed/decoded in exact order as they are encoded:

    OU=org1, OU=department1, CN=tester
    

    In second example (SET nests multiple SEQUENCEs), RDN attributes inside single SET can be reordered and may result in two paths:

    OU=org1, OU=department1, CN=tester
    OU=department1, OU=org1, CN=tester
    

    And these two paths are not same. This is because SET is an unordered list and application is free to order them as they need/want. Therefore, I would recommend to use first encoding, i.e. only one SEQUENCE inside SET. This guarantees that X.500 name results in same path in all conforming implementations.

    p.s. I just tested this with Microsoft implementation of X.500 decoder. It doesn't re-ordrer multiple SEQUENCEs inside SET and decodes in exact order as RDNs are encoded, i.e. OU=org1, OU=department1, CN=tester

    p.p.s. keep in mind that RDNs shall be encoded from tree root down to leaf node. Your encoding is opposite and may lead to undesired string.