[openssl-users] OpenSSL 1.0.1l: X509_NAME_add_entry_by_txt broken?
Jörg Eyring
joerg.eyring at topix.de
Thu Feb 12 11:16:49 UTC 2015
Am 12.02.2015 um 01:28 schrieb Dave Thompson <dthompson at prinpay.com>:
> ASN1 strings set with the "generic" MBSTRING_ types that are for
> known/standard OID-value pairs are constrained by tbl_standard in
> asn1/a_strnid.c. A few like Country are forced to Printable as per standard.
>
> Those standardized as DirectoryString are anded with a "default mask" then
> a_mbstr.c chooses the "lowest" type supporting the characters in the value.
> Which allowed *two* of the eight single-byte types (Teletex and Printable).
> This is mentioned, very briefly, in the manpage for X509_NAME_add_entry.
>
> 1.0.1h in 2014 and later changed this mask to force UTF8 only, I believe
> to implement the MUST UTF8 for DirectoryString's in 2459 and 3280,
> even though 5280 in 2008 had relaxed it to MUST UTF8 OR Printable,
> I suspect to be safe for implementations of the older standard.
>
> req and ca override this by calling ASN1_STRING_set_default_mask_asc
> with the (string) value of string_mask in the configuration if specified,
> and
> the supplied openssl.cnf back to 1.0.0 in 2009 set utf8only for those utils.
> There is also a numeric version ASN1_STRING_set_default_mask .
>
> HTH.
Hi Dave,
thanks for your explanation. I wish these changes would have been documented somewhere in the version history of OpenSSL.
unsigned long defaultMask = ASN1_STRING_get_default_mask();
ASN1_STRING_set_default_mask (B_ASN1_PRINTABLESTRING);
...add entries…
ASN1_STRING_set_default_mask (defaultMask);
seems to do the job.
Jörg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150212/439f5758/attachment.html>
More information about the openssl-users
mailing list