[openssl-users] OpenSSL 1.0.1l: X509_NAME_add_entry_by_txt broken?

Jörg Eyring joerg.eyring at topix.de
Thu Feb 12 11:16:49 UTC 2015

Am 12.02.2015 um 01:28 schrieb Dave Thompson <dthompson at prinpay.com>:

> ASN1 strings set with the "generic" MBSTRING_ types that are for 
> known/standard OID-value pairs are constrained by tbl_standard in 
> asn1/a_strnid.c. A few like Country are forced to Printable as per standard.
> Those standardized as DirectoryString are anded with a "default mask" then 
> a_mbstr.c chooses the "lowest" type supporting the characters in the value.
> Which allowed *two* of the eight single-byte types (Teletex and Printable).
> This is mentioned, very briefly, in the manpage for X509_NAME_add_entry.
> 1.0.1h in 2014 and later changed this mask to force UTF8 only, I believe 
> to implement the MUST UTF8 for DirectoryString's in 2459 and 3280, 
> even though 5280 in 2008 had relaxed it to MUST UTF8 OR Printable, 
> I suspect to be safe for implementations of the older standard.
> req and ca override this by calling ASN1_STRING_set_default_mask_asc  
> with the (string) value of string_mask in the configuration if specified,
> and 
> the supplied openssl.cnf back to 1.0.0 in 2009 set utf8only for those utils.
> There is also a numeric version ASN1_STRING_set_default_mask .
> HTH.

Hi Dave,

thanks for your explanation. I wish these changes would have been documented somewhere in the version history of OpenSSL.

unsigned long defaultMask = ASN1_STRING_get_default_mask();

...add entries…

ASN1_STRING_set_default_mask (defaultMask);

seems to do the job.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150212/439f5758/attachment.html>

More information about the openssl-users mailing list