asn1parse genstr question

Dmitry Belyavsky beldmit at gmail.com
Mon Apr 22 23:02:55 UTC 2019


Hello,

On Tue, Apr 23, 2019 at 12:21 AM Dmitry Belyavsky <beldmit at gmail.com> wrote:

> Dear Victor,
>
> On Mon, Apr 22, 2019 at 9:23 PM Viktor Dukhovni <
> openssl-users at dukhovni.org> wrote:
>
>> On Sun, Apr 21, 2019 at 06:58:53PM +0300, Dmitry Belyavsky wrote:
>>
>> > When I use a command
>> >
>> > openssl asn1parse -genstr "UTF8String:ф" -out content
>> >
>> > I get a 6-byte file. If I understand correctly, it starts with a 2-byte
>> > header indicating the content length and then contains an encoded letter
>> > 'ф' I want. But the encoding of it is not UTF8, as the utf8 encoding of
>> a
>> > cyrillic letter is 2 bytes long.
>> >
>> > Am I wrong? If the behavior I see is desired one, how can I convert the
>> > result of the encoding to UTF8 using openssl internal API?
>>
>> By default the input string is assumed to contain single-byte octets,
>> which are individually encoded as UTF-8.  This is rarely what you
>> want if your input is not ASCII.  For actual UTF-8 input, you can
>> use:
>>
>>     $ openssl asn1parse -out content -genstr 'FORMAT:UTF8,UTF8String:Он
>> врет! Он не знает, КАК НАДО!' # [1]
>>         0:d=0  hl=2 l=  53 prim: UTF8STRING        :Он врет! Он не знает,
>> КАК НАДО!
>>
>> The "genstr" format is described in, for example:
>>
>>     https://www.openssl.org/docs/man1.0.2/man3/ASN1_generate_nconf.html
>
>
> Thank you very much for your answer and especially for a brilliant example
> :)
>
> I'm trying to implement RFC 8398 and I try to create a valid certificate
> with EAI email in otherName.
>
> I expected that a line in the config file
>
> subjectAltName=otherName:1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8:医生@
> 大学.example.com <http://xn--pss25c.example.com>
>
> will do the trick.
> But I get an error
> 140642093051968:error:0D0B20C2:asn1 encoding
> routines:ASN1_generate_v3:unknown tag:../crypto/asn1/asn1_gen.c:94:
> 140642093051968:error:220A4093:X509 V3 routines:a2i_GENERAL_NAME:othername
> error:../crypto/x509v3/v3_alt.c:456:
> 140642093051968:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in
> extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName,
> value=otherName:1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8:医生@大学.example.com
> <http://xn--pss25c.example.com>
>
> If I specify the otherName like
> subjectAltName=otherName:1.3.6.1.5.5.7.8.9;UTF8:医生@大学.example.com
> <http://xn--pss25c.example.com>
>
> I do not get an error, but the encoding seems to be not UTF8, but ASCII.
> Can this behavior be fixed?
>

I've got the clue.

The config string is passed to the X509V3_parse_list() function, which
treats comma as a separator, so the rest of the line is cut, and it causes
an error.
I've done a quick-and-dirty patch for my purposes that enforces FORMAT:UTF8
for SMTPUTF8 and succeeded.



>
>
>>
>> --
>>         Viktor.
>>
>> [1]. http://www.mnemosyne.ru/homo/galich-6.html
>>
>
>
> --
> SY, Dmitry Belyavsky
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190423/253b3b24/attachment.html>


More information about the openssl-users mailing list