error: ASN1_mbstring_ncopy:illegal characters
openssl at raf.org
Thu Apr 13 10:44:09 UTC 2023
On Wed, Apr 12, 2023 at 10:41:39PM -0400, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
> On Thu, Apr 13, 2023 at 09:45:55AM +1000, raf via openssl-users wrote:
> > > You need to specify a SAN "otherName" of type smtpUtf8Name, rather than
> > > an rfc822Name. With OpenSSL 3.0, you can use "id-on-SmtpUTF8Mailbox"
> > > instead of the numeric OID:
> > >
> > > [extensions]
> > > subjectAltName = @sans
> > >
> > > [sans]
> > > otherName.1 = 22.214.171.124.126.96.36.199.9;FORMAT:UTF8,UTF8String:потребитель@домен.example
> > >
> > > Full support for this in certificate verification requires OpenSSL 3.0.
> > Thanks. Sadly, I don't understand the config file format enough to
> > know how to incorporate this into my existing config file (copied from
> > a howto for S/MIME). which includes "subjectAltName = email:copy". If
> > I just add the above, I get a new error when decrypting the private
> > key.
> That's for signing CSRs with a CA, I typically bypass that, and create
> the cert more directly. I don't know how or whether there's support for
> copying specific "otherName" extensions by OID.
> > In the meantime, I might just wait until a user reports that my script
> > isn't working for S/MIME with non-ASCII email addresses (if that ever
> > happens). If they can show me the output of the openssl x509 ...
> > -noout -text command for their certificate, that should be enough for
> > me to fix my script.
> You reall SHOULD NOT parse the output of "openssl ... -text" it is not a
> stable machine-readable format. Python has APIs for parsing X.509
> objects, I was suggesting you use those.
> If you really must go out on a limb, OpenSSL 3.0 would output:
> X509v3 extensions:
> X509v3 Subject Key Identifier:
> X509v3 Authority Key Identifier:
> X509v3 Basic Constraints:
> X509v3 Subject Alternative Name:
> othername: SmtpUTF8Mailbox::виктор@example.org
More information about the openssl-users