[openssl-users] OpenSSL 1.0.1l: X509_NAME_add_entry_by_txt broken?

[Dave Thompson]

> From: openssl-users On Behalf Of Jörg Eyring
> Sent: Wednesday, February 11, 2015 03:44

> I'm generating a certificate request and the necessary entries are added
> with:
> ...
> if(!X509_NAME_add_entry_by_txt(subj,"C", MBSTRING_ASC, (unsigned
> char *) CountryName,-1,-1,0)) <snip>
> X509_NAME_add_entry_by_txt does only respect the given encoding
> MBSTRING_ASC for the first entry, the subsequent entries are encoded with
> MBSTRING_UTF8 (seen with a BER Viewer). The certificate request is
> declined by the authority with an error: "...doesn't contain five
> PRINTABLESTRING elements..."
> 
> The most recent version of OpenSSL we've been using was 1.0.1c where
> everything worked fine.
> 
ASN1 strings set with the "generic" MBSTRING_ types that are for 
known/standard OID-value pairs are constrained by tbl_standard in 
asn1/a_strnid.c. A few like Country are forced to Printable as per standard.

Those standardized as DirectoryString are anded with a "default mask" then 
a_mbstr.c chooses the "lowest" type supporting the characters in the value.
Which allowed *two* of the eight single-byte types (Teletex and Printable).
This is mentioned, very briefly, in the manpage for X509_NAME_add_entry.

1.0.1h in 2014 and later changed this mask to force UTF8 only, I believe 
to implement the MUST UTF8 for DirectoryString's in 2459 and 3280, 
even though 5280 in 2008 had relaxed it to MUST UTF8 OR Printable, 
I suspect to be safe for implementations of the older standard.

req and ca override this by calling ASN1_STRING_set_default_mask_asc  
with the (string) value of string_mask in the configuration if specified,
and 
the supplied openssl.cnf back to 1.0.0 in 2009 set utf8only for those utils.
There is also a numeric version ASN1_STRING_set_default_mask .

HTH.