type DN

object --+
         |
        DN

An object representing an X501 Distinguished Name (e.g DN).

DN objects contain an ordered list of RDN objects.

The DN object constructor may be invoked with a string representing an X500 name. Zero or more RDN objects, or you may optionally pass a list or tuple of RDN objects.

Examples:

DN()
DN('CN=www.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US')
DN(rdn0, ...)
DN([rdn0, rdn1])

The string representation of a Distinguished Name (DN) has reverse ordering from it's sequential components.

The ordering is a requirement of the relevant RFC's. When a Distinguished Name is rendered as a string it is ordered from most specific to least specific. However it's components (RDN's) as a sequence are ordered from least specific to most specific.

DN objects contain an ordered list of RDN objects. The DN object has both sequence and mapping behaviors with respect to the RDN's they contain. Thus you can index an RDN by position, by name, or by SecItem (if it's an OID). You can iterate over the list, get it's length or take a slice.

If you index by string the string may be either a canonical name for the RDN type (e.g. 'cn') or the dotted-decimal notation for the OID (e.g. 2.5.4.3). There may be multiple RDN's in a DN whose type matches (e.g. OU=engineering, OU=boston). It is not common to have more than one RDN in a DN with the same type. However because of the possiblity of being multi-valued when indexing by type a list is always returned containing the matching RDN's. Thus:

dn = nss.DN('OU=engineering')
dn['ou']
    returns [RDN('OU=engineering')

dn = nss.DN('OU=engineering, OU=boston')
dn['ou']
    returns [RDN('OU=boston'), RDN('OU=engineering')]
    Note the reverse ordering between string representation and RDN sequencing

Note, if you use properties to access the RDN values (e.g. name.common_name, name.org_unit_name) the string value is returned or None if not found. If the item was multi-valued then the most appropriate item will be selected and returned as a string value.

Note it is not possible to index by oid tag (e.g. nss.SEC_OID_AVA_COMMON_NAME) because oid tags are integers and it's impossible to distinguish between an integer representing the n'th member of the sequence and the integer representing the oid tag. In this case positional indexing wins (e.g. rdn[0] means the first element).

Examples:

subject_name = 'CN=www.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US'
name = nss.DN(subject_name)
str(name)
   returns 'CN=www.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US'
name[0]
   returns an `RDN` object with the value C=US
name['cn']
    returns a list comprised of an `RDN` object with the value CN=www.redhat.com
name['2.5.4.3']
    returns a list comprised of an `RDN` object with the value CN=www.redhat.com
    because 2.5.4.3 is the dotted-decimal OID for common name (i.e. cn)
name.common_name
    returns the string www.redhat.com
    common_name is easy shorthand property, it only retuns a single string
    value or None, if it was multi-valued the most appropriate item is selected.
name.has_key('cn')
    returns True because the DN has a common name RDN
name.has_key('2.5.4.3')
    returns True because the DN has a common name RDN
    because 2.5.4.3 is the dotted-decimal OID for common name (i.e. cn)

cn_rdn = nss.RDN(nss.AVA('cn', 'www.redhat.com'))
ou_rdn = nss.RDN(nss.AVA('ou', 'Web Operations'))
name = nss.DN(cn_rdn)
name
   is a DN with one RDN (e.g. CN=www.redhat.com)
len(name)
   returns 1 because there is one RDN in it
name.add_rdn(ou_rdn)
name
   name is now a DN with two RDN's (e.g. OU=Web Operations,CN=www.redhat.com)
len(name)
   returns 2 because there are now two RDN's in it
list(name)
   returns a list with the two RDN's in it
name[:]
   same as list(name)
for rdn in name:
   iterate over each RDN in name
name = nss.DN(cn_rdn, ou_rdn)
    This is an alternate way to build the above DN