> From: openssl-users [mailto:[hidden email]] On Behalf
> Of [hidden email] > Sent: Wednesday, April 12, 2017 00:47
> I thought about escaping regarding DN itself (LDAP DN).
It's an X.400 DN. LDAP is a protocol and an API; there's no necessary relationship between X.509 certificates and LDAP.
More importantly, escaping is an aspect of interpretation, not source. If you need an X.400 DN escaped in, say, an LDAP context such as a value in a search filter, that's a requirement of LDAP, and the transformation is determined by LDAP. It is not a property of the "DN itself". Escaping a DN for a particular context is no different from escaping any other string for that context.
Your conceptual model is wrong, and that is a Bad Thing, particularly with escaping. Having the wrong conceptual model when escaping data leads to difficult-to-find errors and security vulnerabilities.
Rich has mentioned -nameopt and its implementing code, which may serve as a guide. But they're unlikely to precisely meet your requirements, whatever they actually are.
Distinguished Engineer, Micro Focus