error: ASN1_mbstring_ncopy:illegal characters

raf openssl at raf.org
Wed Apr 12 00:55:17 UTC 2023 

On Tue, Apr 11, 2023 at 09:43:20AM -0500, Mark Hack <markhack at markhack.com> wrote:

> On Tue, 2023-04-11 at 23:40 +1000, raf via openssl-users wrote:
> > Hi,
> > 
> > I'm trying to create a CSR for an SMIME certificate for
> > an email address with non-ASCII characters (localpart
> > and domain), and I'm getting this error after entering
> > äbç@être.org as the email address:
> > 
> >   139749651649856:error:0D07A07C:asn1 encoding
> > routines:ASN1_mbstring_ncopy:illegal
> > characters:../crypto/asn1/a_mbstr.c:115:
> > 
> > The error message is similar if the only non-ASCII
> > characters are in the domain name, or if they are only
> > in the localpart (only the leading number in the error
> > message changes). It's just for testing purposes, and
> > I'm only really interested in the domain part.
> > 
> > I must be doing something wrong. How can I use
> > non-ASCII (UTF8-encoded Unicode characters,
> > LANG=en_AU.UTF-8)? It looks like it's expecting
> > multi-byte strings (a_mbstr.c).
> > 
> > My smime.cnf contains:
> > 	[req]
> > 	distinguished_name = req_distinguished_name
> > 
> > 	[req_distinguished_name]
> > 	countryName = Country Name (2 letter code)
> > 	countryName_default = AU
> > 	countryName_min = 2
> > 	countryName_max = 2
> > 	stateOrProvinceName = State or Province Name (full name)
> > 	stateOrProvinceName_default = Some-State
> > 	localityName = Locality Name (eg, city)
> > 	0.organizationName = Organization Name (eg, company)
> > 	0.organizationName_default = Internet Widgits Pty Ltd
> > 	organizationalUnitName = Organizational Unit Name (eg, section)
> > 	commonName = Common Name (e.g. server FQDN or YOUR name)
> > 	commonName_max = 64
> > 	emailAddress = Email Address
> > 	emailAddress_max = 64
> > 
> > 	[smime]
> > 	basicConstraints = CA:FALSE
> > 	keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> > 	subjectKeyIdentifier = hash
> > 	authorityKeyIdentifier = keyid:always,issuer
> > 	subjectAltName = email:copy
> > 	extendedKeyUsage = emailProtection
> > 
> > And the openssl commands were:
> > 
> >     OPENSSL_CONF=`pwd`/smime.cnf
> > 	# Generate an RSA Private Key for the Certificate Authority
> >     openssl genrsa -aes256 -out ca.key 2048
> > 	# Create Self-Signed Certificate for the Certificate Authority
> >     openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> > 	# Generate an RSA Private Key for the Personal E-Mail
> > Certificate
> >     openssl genrsa -aes256 -out smime_test_user.key 2048
> > 	# Create the Certificate Signing Request
> >     openssl req -new -key smime_test_user.key -out
> > smime_test_user.csr
> > 
> > The error happened during the command above.
> > 
> >     > openssl req -new -key smime_test_user.key -out
> > smime_test_user.csr
> > 
> >     Enter pass phrase for smime_test_user.key:
> >     You are about to be asked to enter information that will be
> > incorporated
> >     into your certificate request.
> >     What you are about to enter is what is called a Distinguished
> > Name or a DN.
> >     There are quite a few fields but you can leave some blank
> >     For some fields there will be a default value,
> >     If you enter '.', the field will be left blank.
> >     -----
> >     Country Name (2 letter code) [AU]:
> >     State or Province Name (full name) [Some-State]:
> >     Locality Name (eg, city) []:
> >     Organization Name (eg, company) [Internet Widgits Pty Ltd]:
> >     Organizational Unit Name (eg, section) []:
> >     Common Name (e.g. server FQDN or YOUR name) []:
> >     Email Address []:äbç@être.org
> >     problems making Certificate Request
> >     139749651649856:error:0D07A07C:asn1 encoding
> > routines:ASN1_mbstring_ncopy:illegal
> > characters:../crypto/asn1/a_mbstr.c:115:
> > 
> > So I didn't get to the final command:
> > 
> >     # Sign the Certificate Using the Certificate Authority
> > 	openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt
> > -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust
> > emailProtection -addreject clientAuth -addreject serverAuth -trustout
> > -extfile smime.cnf -extensions smime
> > 
> > cheers,
> > raf
>
> Try adding the -utf8 option to the request.
> 
> https://www.openssl.org/docs/man3.1/man1/openssl-req.html
> 
> -utf8
> 
>     This option causes field values to be interpreted as UTF8 strings,
> by default they are interpreted as ASCII. This means that the field
> values, whether prompted from a terminal or obtained from a
> configuration file, must be valid UTF8 strings.
> 
> Regards
> Mark Hack

Thanks, but surprisingly, that didn't work. I first tried adding -utf8
at the end of the command and it made no difference. Then I tried
placing it further to the left, in several locations, just in
case it made any difference, but it resulted in the same error.

I've checked (with od -cx) that the email address I'm pasting is
valid UTF8, and it is.

cheers,
raf

More information about the openssl-users mailing list