From ed71c5cc07e4a0bb7a58f4e0731e5af3d4d4aa53 Mon Sep 17 00:00:00 2001
From: Thomas Erbesdobler <t.erbesdobler@gmx.de>
Date: Tue, 3 Mar 2020 03:26:07 +0100
Subject: Reversed the order of RDNs in x509.Name.rfc4514_string() (#5120)

RFC4514 requires in section 2.1 that RDNs are converted to string
representation in reversed order.
---
 CHANGELOG.rst                 |  3 +++
 src/cryptography/x509/name.py | 12 ++++++++----
 tests/x509/test_x509.py       |  6 +++---
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 31430d75..d7e1770b 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -20,6 +20,9 @@ Changelog
 * Added support for parsing
   :attr:`~cryptography.x509.ocsp.OCSPResponse.single_extensions` in an OCSP
   response.
+* **BACKWARDS INCOMPATIBLE:** Reversed the order in which
+  :meth:`~cryptography.x509.Name.rfc4514_string` returns the RDNs as required by
+  RFC4514.
 
 .. _v2-8:
 
diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py
index 0d58acdd..922cab5a 100644
--- a/src/cryptography/x509/name.py
+++ b/src/cryptography/x509/name.py
@@ -216,9 +216,11 @@ class Name(object):
         An X.509 name is a two-level structure: a list of sets of attributes.
         Each list element is separated by ',' and within each list element, set
         elements are separated by '+'. The latter is almost never used in
-        real world certificates.
+        real world certificates. According to RFC4514 section 2.1 the
+        RDNSequence must be reversed when converting to string representation.
         """
-        return ','.join(attr.rfc4514_string() for attr in self._attributes)
+        return ','.join(
+            attr.rfc4514_string() for attr in reversed(self._attributes))
 
     def get_attributes_for_oid(self, oid):
         return [i for i in self if i.oid == oid]
@@ -253,7 +255,9 @@ class Name(object):
         return sum(len(rdn) for rdn in self._attributes)
 
     def __repr__(self):
+        rdns = ','.join(attr.rfc4514_string() for attr in self._attributes)
+
         if six.PY2:
-            return "<Name({})>".format(self.rfc4514_string().encode('utf8'))
+            return "<Name({})>".format(rdns.encode('utf8'))
         else:
-            return "<Name({})>".format(self.rfc4514_string())
+            return "<Name({})>".format(rdns)
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index fa3a41a7..fb0c96ab 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -4556,14 +4556,14 @@ class TestName(object):
     def test_rfc4514_string(self):
         n = x509.Name([
             x509.RelativeDistinguishedName([
-                x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Sales'),
-                x509.NameAttribute(NameOID.COMMON_NAME, u'J.  Smith'),
+                x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'net'),
             ]),
             x509.RelativeDistinguishedName([
                 x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'example'),
             ]),
             x509.RelativeDistinguishedName([
-                x509.NameAttribute(NameOID.DOMAIN_COMPONENT, u'net'),
+                x509.NameAttribute(NameOID.ORGANIZATIONAL_UNIT_NAME, u'Sales'),
+                x509.NameAttribute(NameOID.COMMON_NAME, u'J.  Smith'),
             ]),
         ])
         assert (n.rfc4514_string() ==
-- 
cgit v1.2.3