error: ASN1_mbstring_ncopy:illegal characters

raf openssl at raf.org
Thu Apr 13 10:44:09 UTC 2023 

On Wed, Apr 12, 2023 at 10:41:39PM -0400, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:

> On Thu, Apr 13, 2023 at 09:45:55AM +1000, raf via openssl-users wrote:
> 
> > > You need to specify a SAN "otherName" of type smtpUtf8Name, rather than
> > > an rfc822Name.  With OpenSSL 3.0, you can use "id-on-SmtpUTF8Mailbox"
> > > instead of the numeric OID:
> > > 
> > >     [extensions]
> > >     subjectAltName = @sans
> > > 
> > >     [sans]
> > >     otherName.1 = 1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8String:потребитель@домен.example
> > > 
> > > Full support for this in certificate verification requires OpenSSL 3.0.
> > 
> > Thanks. Sadly, I don't understand the config file format enough to
> > know how to incorporate this into my existing config file (copied from
> > a howto for S/MIME).  which includes "subjectAltName = email:copy". If
> > I just add the above, I get a new error when decrypting the private
> > key.
> 
> That's for signing CSRs with a CA, I typically bypass that, and create
> the cert more directly.  I don't know how or whether there's support for
> copying specific "otherName" extensions by OID.
> 
> > In the meantime, I might just wait until a user reports that my script
> > isn't working for S/MIME with non-ASCII email addresses (if that ever
> > happens). If they can show me the output of the openssl x509 ...
> > -noout -text command for their certificate, that should be enough for
> > me to fix my script.
> 
> You reall SHOULD NOT parse the output of "openssl ... -text" it is not a
> stable machine-readable format.  Python has APIs for parsing X.509
> objects, I was suggesting you use those.
> 
> If you really must go out on a limb, OpenSSL 3.0 would output:
> 
>         ...
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 E7:9B:E2:2A:AD:8A:6C:3A:CB:76:51:E5:8E:07:98:22:97:E1:73:A2
>             X509v3 Authority Key Identifier:
>                 B4:11:33:F1:D7:E2:5E:F7:53:9E:20:22:10:4F:86:06:BF:1F:C9:5E
>             X509v3 Basic Constraints:
>                 CA:FALSE
>             X509v3 Subject Alternative Name:
>                 othername: SmtpUTF8Mailbox::виктор@example.org
>         ...
> 
> -- 
>     Viktor.

Thanks.

cheers,
raf

More information about the openssl-users mailing list