[openssl-dev] [openssl.org #4516] EBCDIC & z/OS support

Eugene Moskalenko via RT rt at openssl.org
Thu Apr 21 13:21:16 UTC 2016 

Hello,

I have a question regarding or want to clarify state of EBCDIC, system specific encoding, support.
Code do contain a lot of "# ifdef CHARSET_EBCDIC" that probably were added a long ago but at the same time I see following:
     https://rt.openssl.org/Ticket/Display.html?id=2510
     https://rt.openssl.org/Ticket/Display.html?id=843 (http://openssl.6102.n7.nabble.com/State-of-EBCDIC-support-in-OpenSSL-td49792.html)
         >> It's been a decade with no action.  Pretty clearly, the openssl team is not going to do more EBCDIC work than what's already in the openssl command.  Closing this ticket.

The problem with this was initially discovered in code that performs hostname validation from the server certificate,
then in the attempt to check state of things was discovered systematic problem with EBCDIC support.

So the first and main question, taking into account #843, is there some willingness and possibility to support EBCDIC?
(I can try to do my best with this if so, even if I am not so familiar with z/OS environment so far)



Just in case my current changes based on openssl-1.0.2a are attached and here brief description and thoughts (can merge them then to any later version):
- So the first issue was with hostname validation, by the code it tries to convert/generalize "CN" into UTF8 and then compare.
   I tried to set hostname in X509_VERIFY_PARAM_set1_host in UTF8 format but it seems not reliable solution because it works only for strict equality
   because functions "equal_nocase", "equal_wildcard" do work in EBCDIC locale because are not able to nocase compare or detect wildcard.
   So v3_utl.c is currently changed to performs all comparison of strings as EBCDIC (that mostly shouldn't be a problem but finally it will be probably good to do proper compare in UTF8)

   The same code also covers Alt Subject Name validation, I haven't tested IP validation yet.
- After that appeared that Expiration validation cannot be passed as well so before comparison ASN1_TIME is converted into EBCDIC as well.
- During research it was clear that "X509 -text" & "asn1parse" don't display content properly so various print/output function were adjusted
- On certificate issuing dates appears in EBCDIC format in certificate instead of ASCII, it was due to strange disabled conversion in a_gentm.c & asn1_par.c.
   I tried to understand why but without success...
- v3_prn.c, not obvious change so far.
   If for ASN1 structures strings are supposedly stored in ASCII (or UTF8)
   For the CONF_VALUE isn't so obvious, so far, in #2510 patch, v3_utl.c file, it tries to store some values in ASCII
   to convert them later back as currently in v3_prn.c.
   In attached variant it just stores and prints values supposing that they are EBCDIC.
   If CONF_VALUE isn't stored in certificate and is used only at runtime I suppose that it is more correct,
   if they can be stored in certificate as is then it is better to keep them in corresponding ASCII format.
- Passwords for encrypting keys, they are currently locale depended that means that something generated on Linux/Windows won't be able to decrypt on z/OS and vice versa.
   In pem_pk8.c & pem_pkey.c was added conversion of passwords to ASCII that should solve this problem but not so obvious if passwords can be only Text in these locations
   and if so it will be probably good to add special parameter for the "openssl" to specify password encoding, to be able to use both ASCII/EBCDIC on z/OS, for compatibility at least.


openssl-1.0.2a-ZOS-PATCH/crypto> ls -Rl
.:
total 16
drwxr-xr-x 2 dmsys users 4096 Apr 21 14:57 asn1
drwxr-xr-x 2 dmsys users 4096 Apr 21 14:57 pem
drwxr-xr-x 2 dmsys users 4096 Apr 21 14:57 x509
drwxr-xr-x 2 dmsys users 4096 Apr 21 14:57 x509v3

./asn1:
total 40
-rw-rw-r-- 1 dmsys users 10122 Apr 11 17:07 a_gentm.c        - Un-disabled Date conversion to ASCII for the ASN1
-rw-rw-r-- 1 dmsys users 15898 Apr 14 19:04 asn1_par.c        - Un-disabled Date conversion to ASCII for the ASN1
-rw-rw-r-- 1 dmsys users 10486 Apr 11 17:08 a_utctm.c        - Proper output of ANS1 strings from "openssl asn1parse"

./pem:
total 24
-rw-rw-r-- 1 dmsys users 9711 Apr 14 19:24 pem_pk8.c        - Consider password as ASCII
-rw-rw-r-- 1 dmsys users 9884 Apr 15 12:37 pem_pkey.c        - Consider password as ASCII

./x509:
total 80
-rw-rw-r-- 1 dmsys users  7597 Apr 12 11:57 x509_obj.c        - Proper output of ANS1 strings in EBCDIC locale
-rw-rw-r-- 1 dmsys users 70384 Apr  7 19:19 x509_vfy.c        - Dates Validation

./x509v3:
total 48
-rw-rw-r-- 1 dmsys users  8024 Apr 15 13:47 v3_prn.c        - Proper output of CONF_VALUE strings in EBCDIC locale
-rw-rw-r-- 1 dmsys users 39407 Apr  8 13:02 v3_utl.c        - Host name & Alt Subject Name validation


Please advise to to proceed with this...


-Eugene

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4516
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl-1.0.2a-ZOS-PATCH.7z
Type: application/x-7z-compressed
Size: 32494 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160421/d893b6ec/attachment-0001.7z>

More information about the openssl-dev mailing list