error: ASN1_mbstring_ncopy:illegal characters

raf openssl at
Wed Apr 12 05:20:51 UTC 2023

On Tue, Apr 11, 2023 at 11:04:46PM -0400, Viktor Dukhovni <openssl-users at> wrote:

> On Tue, Apr 11, 2023 at 11:40:10PM +1000, raf via openssl-users wrote:
> > I'm trying to create a CSR for an SMIME certificate for
> > an email address with non-ASCII characters (localpart
> > and domain), and I'm getting this error after entering
> > äbç@ê as the email address:
> You can't do that with rfc822Name, its syntax is by definition
> restricted to printable ASCII (IA5String):
>         GeneralName ::= CHOICE {
>                 otherName                       [0]     OtherName,
>                 rfc822Name                      [1]     IA5String,
>                 dNSName                         [2]     IA5String,
>                 x400Address                     [3]     ORAddress,
>                 directoryName                   [4]     Name,
>                 ediPartyName                    [5]     EDIPartyName,
>                 uniformResourceIdentifier       [6]     IA5String,
>                 iPAddress                       [7]     OCTET STRING,
>                 registeredID                    [8]     OBJECT IDENTIFIER }
>        OtherName ::= SEQUENCE {
>             type-id    OBJECT IDENTIFIER,
>             value      [0] EXPLICIT ANY DEFINED BY type-id }
> To create certificates for non-ASCII email addresses you need:
>         id-on-SmtpUTF8Mailbox OBJECT IDENTIFIER ::= { id-on 9 }
>         SmtpUTF8Mailbox ::= UTF8String (SIZE (1..MAX))
> -- 
>     Viktor.

Hi Viktor,

Thanks. I thought that might be the case, but I didn't
know what kind of encoding was appropriate for openssl
usage. There are different encodings for different
purposes. My interest in Unicode domain names relates
to DNS usage where IDNA2008/UTC#46 is useful. But this
makes sense since it's an email address.

It would be great if openssl performed the necessary
encoding, especially when it has been instructed (with
the -utf8 option) to interperet input as UTF-8 (but the
locale should probably be enough of an indication), and
to also perform the corresponding decoding on output. I
think that requiring users to perform the correct
encoding is asking too much. But maybe expecting
openssl to include code for encoding and decoding email
addresses is asking too much.

I have a shell script that will need to decode
international email addresses in S/MIME certificates,
and then encode the domain as IDNA2008/UTC#46.

Does anyone know of a readily available command line
tool that can decode international email addresses?


More information about the openssl-users mailing list