[openssl-users] Question about stateOrProvince
Tim Boring
tjboring at gmail.com
Wed Aug 31 01:28:19 UTC 2016
When creating a CSR, openssl displays the following
<quote>
State or Province Name (full name) [Some-State]:
</quote>
But, I can't find anywhere in the OpenSSL codebase that validates that the
input is indeed a "full name"--e.g., that the input is "New York" instead
of "NY".
I've done this search in Github:
https://github.com/openssl/openssl/search?utf8=%E2%9C%93&q=state%2Fprovince&type=Code
After looking through the code, I stumbed across the "ub_locality_name"
size limit:
https://goo.gl/zAUe9w
And a couple lines up from that is a comment pointing to RFC 3280
<https://www.rfc-editor.org/rfc/rfc3280.txt>, which defines the following:
<quote>
id-at-stateOrProvinceName AttributeType ::= { id-at 8 }
X520StateOrProvinceName ::= CHOICE {
teletexString TeletexString (SIZE (1..ub-state-name)),
printableString PrintableString (SIZE (1..ub-state-name)),
universalString UniversalString (SIZE (1..ub-state-name)),
utf8String UTF8String (SIZE (1..ub-state-name)),
bmpString BMPString (SIZE(1..ub-state-name)) }
ub-state-name INTEGER ::= 128
</quote>
I'm curious about this because the openssl command will create a CSR where
stateOrProvince has a two-character (U.S.) state name, and (at least one)
CA (Comodo) will happily issue a cert using such a CSR.
Is there any issue with a cert generated using such a CSR? Should the
openssl command validate stateOrProvince? If not, then maybe it's just a
matter of changing the prompt (I'm happy to submit a PR for such a minor
change).
Thanks,
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160831/e5cfd2b7/attachment.html>
More information about the openssl-users
mailing list