openssl-users Digest, Vol 101, Issue 18
Matthew
binsitt at web.de
Tue Apr 11 20:21:38 UTC 2023
Hello Michael,
thank you very much, your response helps a lot!
Kind regards
Am 11.04.23 um 17:05 schrieb openssl-users-request at openssl.org:
> Send openssl-users mailing list submissions to
> openssl-users at openssl.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mta.openssl.org/mailman/listinfo/openssl-users
> or, via email, send a message with subject or body 'help' to
> openssl-users-request at openssl.org
>
> You can reach the person managing the list at
> openssl-users-owner at openssl.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssl-users digest..."
>
>
> Today's Topics:
>
> 1. error: ASN1_mbstring_ncopy:illegal characters (raf)
> 2. Re: error: ASN1_mbstring_ncopy:illegal characters (Mark Hack)
> 3. RE: RSA Real World Implementation (Michael Wojcik)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 11 Apr 2023 23:40:10 +1000
> From: raf <openssl at raf.org>
> To: openssl-users at openssl.org
> Subject: error: ASN1_mbstring_ncopy:illegal characters
> Message-ID: <ZDVjOq+RmCcrbfgV at raf.org>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi,
>
> I'm trying to create a CSR for an SMIME certificate for
> an email address with non-ASCII characters (localpart
> and domain), and I'm getting this error after entering
> ?b?@?tre.org as the email address:
>
> 139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:
>
> The error message is similar if the only non-ASCII
> characters are in the domain name, or if they are only
> in the localpart (only the leading number in the error
> message changes). It's just for testing purposes, and
> I'm only really interested in the domain part.
>
> I must be doing something wrong. How can I use
> non-ASCII (UTF8-encoded Unicode characters,
> LANG=en_AU.UTF-8)? It looks like it's expecting
> multi-byte strings (a_mbstr.c).
>
> My smime.cnf contains:
> [req]
> distinguished_name = req_distinguished_name
>
> [req_distinguished_name]
> countryName = Country Name (2 letter code)
> countryName_default = AU
> countryName_min = 2
> countryName_max = 2
> stateOrProvinceName = State or Province Name (full name)
> stateOrProvinceName_default = Some-State
> localityName = Locality Name (eg, city)
> 0.organizationName = Organization Name (eg, company)
> 0.organizationName_default = Internet Widgits Pty Ltd
> organizationalUnitName = Organizational Unit Name (eg, section)
> commonName = Common Name (e.g. server FQDN or YOUR name)
> commonName_max = 64
> emailAddress = Email Address
> emailAddress_max = 64
>
> [smime]
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer
> subjectAltName = email:copy
> extendedKeyUsage = emailProtection
>
> And the openssl commands were:
>
> OPENSSL_CONF=`pwd`/smime.cnf
> # Generate an RSA Private Key for the Certificate Authority
> openssl genrsa -aes256 -out ca.key 2048
> # Create Self-Signed Certificate for the Certificate Authority
> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> # Generate an RSA Private Key for the Personal E-Mail Certificate
> openssl genrsa -aes256 -out smime_test_user.key 2048
> # Create the Certificate Signing Request
> openssl req -new -key smime_test_user.key -out smime_test_user.csr
>
> The error happened during the command above.
>
> > openssl req -new -key smime_test_user.key -out smime_test_user.csr
>
> Enter pass phrase for smime_test_user.key:
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blank
> For some fields there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [AU]:
> State or Province Name (full name) [Some-State]:
> Locality Name (eg, city) []:
> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
> Organizational Unit Name (eg, section) []:
> Common Name (e.g. server FQDN or YOUR name) []:
> Email Address []:?b?@?tre.org
> problems making Certificate Request
> 139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:
>
> So I didn't get to the final command:
>
> # Sign the Certificate Using the Certificate Authority
> openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extfile smime.cnf -extensions smime
>
> cheers,
> raf
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 11 Apr 2023 09:43:20 -0500
> From: Mark Hack <markhack at markhack.com>
> To: raf <openssl at raf.org>, openssl-users at openssl.org
> Subject: Re: error: ASN1_mbstring_ncopy:illegal characters
> Message-ID:
> <773c496611ca890147ba4f2c10081eabb45c58f7.camel at markhack.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Try adding the -utf8 option to the request.
>
>
>
> https://www.openssl.org/docs/man3.1/man1/openssl-req.html
>
> -utf8
>
> This option causes field values to be interpreted as UTF8 strings,
> by default they are interpreted as ASCII. This means that the field
> values, whether prompted from a terminal or obtained from a
> configuration file, must be valid UTF8 strings.
>
>
> Regards
> Mark Hack
>
>
>
> On Tue, 2023-04-11 at 23:40 +1000, raf via openssl-users wrote:
>> Hi,
>>
>> I'm trying to create a CSR for an SMIME certificate for
>> an email address with non-ASCII characters (localpart
>> and domain), and I'm getting this error after entering
>> ?b?@?tre.org as the email address:
>>
>> 139749651649856:error:0D07A07C:asn1 encoding
>> routines:ASN1_mbstring_ncopy:illegal
>> characters:../crypto/asn1/a_mbstr.c:115:
>>
>> The error message is similar if the only non-ASCII
>> characters are in the domain name, or if they are only
>> in the localpart (only the leading number in the error
>> message changes). It's just for testing purposes, and
>> I'm only really interested in the domain part.
>>
>> I must be doing something wrong. How can I use
>> non-ASCII (UTF8-encoded Unicode characters,
>> LANG=en_AU.UTF-8)? It looks like it's expecting
>> multi-byte strings (a_mbstr.c).
>>
>> My smime.cnf contains:
>> [req]
>> distinguished_name = req_distinguished_name
>>
>> [req_distinguished_name]
>> countryName = Country Name (2 letter code)
>> countryName_default = AU
>> countryName_min = 2
>> countryName_max = 2
>> stateOrProvinceName = State or Province Name (full name)
>> stateOrProvinceName_default = Some-State
>> localityName = Locality Name (eg, city)
>> 0.organizationName = Organization Name (eg, company)
>> 0.organizationName_default = Internet Widgits Pty Ltd
>> organizationalUnitName = Organizational Unit Name (eg, section)
>> commonName = Common Name (e.g. server FQDN or YOUR name)
>> commonName_max = 64
>> emailAddress = Email Address
>> emailAddress_max = 64
>>
>> [smime]
>> basicConstraints = CA:FALSE
>> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>> subjectKeyIdentifier = hash
>> authorityKeyIdentifier = keyid:always,issuer
>> subjectAltName = email:copy
>> extendedKeyUsage = emailProtection
>>
>> And the openssl commands were:
>>
>> OPENSSL_CONF=`pwd`/smime.cnf
>> # Generate an RSA Private Key for the Certificate Authority
>> openssl genrsa -aes256 -out ca.key 2048
>> # Create Self-Signed Certificate for the Certificate Authority
>> openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>> # Generate an RSA Private Key for the Personal E-Mail
>> Certificate
>> openssl genrsa -aes256 -out smime_test_user.key 2048
>> # Create the Certificate Signing Request
>> openssl req -new -key smime_test_user.key -out
>> smime_test_user.csr
>>
>> The error happened during the command above.
>>
>> > openssl req -new -key smime_test_user.key -out
>> smime_test_user.csr
>>
>> Enter pass phrase for smime_test_user.key:
>> You are about to be asked to enter information that will be
>> incorporated
>> into your certificate request.
>> What you are about to enter is what is called a Distinguished
>> Name or a DN.
>> There are quite a few fields but you can leave some blank
>> For some fields there will be a default value,
>> If you enter '.', the field will be left blank.
>> -----
>> Country Name (2 letter code) [AU]:
>> State or Province Name (full name) [Some-State]:
>> Locality Name (eg, city) []:
>> Organization Name (eg, company) [Internet Widgits Pty Ltd]:
>> Organizational Unit Name (eg, section) []:
>> Common Name (e.g. server FQDN or YOUR name) []:
>> Email Address []:?b?@?tre.org
>> problems making Certificate Request
>> 139749651649856:error:0D07A07C:asn1 encoding
>> routines:ASN1_mbstring_ncopy:illegal
>> characters:../crypto/asn1/a_mbstr.c:115:
>>
>> So I didn't get to the final command:
>>
>> # Sign the Certificate Using the Certificate Authority
>> openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt
>> -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust
>> emailProtection -addreject clientAuth -addreject serverAuth -trustout
>> -extfile smime.cnf -extensions smime
>>
>> cheers,
>> raf
>>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 11 Apr 2023 15:04:56 +0000
> From: Michael Wojcik <Michael.Wojcik at microfocus.com>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Subject: RE: RSA Real World Implementation
> Message-ID:
> <DM6PR18MB2700CBD841BC4596D4EC669CF99A9 at DM6PR18MB2700.namprd18.prod.outlook.com>
>
> Content-Type: text/plain; charset="utf-8"
>
> Haven't seen a response to this one yet, so I thought I'd provide what I could.
>
>> From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of
>> Dingsi Bumsi
>> Sent: Tuesday, 4 April, 2023 17:41
>>
>> As a student of computer science with focus on security I would like to see
>> how RSA is implemented in the real world. I was warned not to write my own
>> implementation of RSA encryption due to the high risk of bugs und
>> vulnerability issues, which would be dealt with much better in a battle proven
>> lib like openssl. So I would like to see how it is done properly. :-)
> OpenSSL would not be my choice for this. Whatever the virtues of OpenSSL, the code is not written for readability. In fact I wouldn't advise anyone to study a "real world" RSA implementation in C at all; while C is the language I use the most (and the only one for which I've memorized a non-trivial portion of the standard), its low expressiveness, required scaffolding, and aspects of common C culture (such as short, meaningless identifiers) make it a difficult to learn concepts from.
>
> You might look at, say, Go's RSA implementation (https://pkg.go.dev/crypto/rsa, source at https://cs.opensource.google/go/go/+/master:src/crypto/rsa/), for example; even if you don't know Go, it's probably faster to learn Go and then learn from Go's implementation. And much of Go's cryptography was, I believe, written by Filippo Valsorda, who's both a good cryptographer and good at explaining cryptography; his blog is worth reading.
>
>> I did already find the source code on github under
>> https://github.com/openssl/openssl/tree/master/crypto/rsa
>>
>> Tbh I find it yet quite overwhelming and cumbersome to work through all
>> those rather cryptic (pun intendet) looking lines of source code and figure out
>> what they do.
> Yes, that's what I would expect. Correct cryptographic code is difficult to begin with; C is difficult; and OpenSSL is not particularly readable C.
>
>> Is there further documentation available about how the source code files work
>> together, e.g. which part of the library/file plays which role?
> There might be some material along those lines in the OpenSSL docs and wiki; that should be your starting place, if you're determined to understand the OpenSSL source code.
>
> (After that, and looking at the source, my approach would be to debug through some operations.)
>
>> From the manpages I assume that several libraries must be used in order to
>> en-/decrypt a message, so I guess documentation on how to use the openssl
>> library in C source code might help too.
> Prior to 3.0, only one OpenSSL library was, in the simple case, used for RSA: libcrypto. With older versions of OpenSSL you might also have an engine involved, which is technically a separate (dynamically-loaded) library. In OpenSSL 3.0, we have providers, which complicate the picture. (This is another good reason not to try to use OpenSSL as your example, by the way; the provider architecture complicates the implementation in ways irrelevant to the actual cryptography.) But libcrypto is still where the most basic implementation lives, I believe (without actually checking the source).
>
> A number of functions are involved, but functions and libraries are different things.
>
>> Where does the actual magic happen, meaning, where are the prime numbers
>> generated and where are the messages en-/decrypted?
> Aside from "crypto/rsa/*.c" I couldn't give you a definitive answer without spending time looking at the source, and possibly not without debugging through some RSA operations just to be sure.
>
>> And one other question: Is there a reimplementation in Rust planned already?
> That seems rather unlikely to me. I certainly don't recall hearing anyone talk about reimplementing OpenSSL in Rust. I don't know offhand the status of cryptography and TLS packages for Rust, but I'd think what Rust needs is its own crypto implementation, just as Go and other languages have; and if you want crypto and TLS written in Rust, that's what you'd use.
>
More information about the openssl-users
mailing list