A Distinguished Directory Name (DN) is a SEQUENCE of Relative Distinguished Names (RDNs). Their order is important, and when comparing two DNs, one must compare the first RDN in both DNs, then the second RDN in both DNs, then the third, and so on. The code in NSS function CERT_CompareName correctly compares two DNs' RDNs in the proper order. An RDN is a SET of Attribute Value Assertions (AVAs, also known as Attribute Type And Value, ATAV). Being a SET, the order of the AVAs in the RDNs is NOT important. Two RDNs are the same if they have the same number of AVAs and for every AVA in the first RDN there is an exactly matching AVA in the second RDN. It is not necessary for the AVAs to be in the same order in the two RDNs for those RDNs to be considered equal. NSS function CERT_CompareRDN compares two RDNs by comparing the first AVA in each RDN, then the second AVA in each RDN, then the third, and so on. That is wrong. It will cause RDNs that are equal, but have their AVAs in different order, to be considered not equal. Before tackling this, we should look and see how much (if at all) function CERT_CompareName is ever used in NSS. If it's effectively dead code, then it may not be worth fixing. Otherwise, we should fix it. This bug is lower priority than bug 329067 or bug 372241.
Created attachment 274579 [details] [diff] [review] patch v1 (untested) I think this should do the job.
Comment on attachment 274579 [details] [diff] [review] patch v1 (untested) Two review requests, but only need one review
This was checked in to secname.c rev 1.21 on 08-27-2007
This patch was flawed. It introduced a regression. See Bug 413010.