Package: xca
Version: 1.3.2-2
Apparently xca uses PRINTABLESTRING as a DirectoryString on
creating certificates by default, ignoring the "MUST" in
RFC 2459:
"The UTF8String encoding is the preferred encoding, and all certificates
issued after December 31, 2003 MUST use the UTF8String encoding of
DirectoryString (except as noted below)."
I created a sample certificate with xca to show:
% openssl asn1parse -in sample.crt
0:d=0 hl=4 l= 901 cons: SEQUENCE
4:d=1 hl=4 l= 621 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :01
16:d=2 hl=2 l= 13 cons: SEQUENCE
18:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
29:d=3 hl=2 l= 0 prim: NULL
31:d=2 hl=3 l= 133 cons: SEQUENCE
34:d=3 hl=2 l= 11 cons: SET
36:d=4 hl=2 l= 9 cons: SEQUENCE
38:d=5 hl=2 l= 3 prim: OBJECT :countryName
43:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE
47:d=3 hl=2 l= 15 cons: SET
49:d=4 hl=2 l= 13 cons: SEQUENCE
51:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
56:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
64:d=3 hl=2 l= 15 cons: SET
66:d=4 hl=2 l= 13 cons: SEQUENCE
68:d=5 hl=2 l= 3 prim: OBJECT :localityName
73:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
81:d=3 hl=2 l= 15 cons: SET
83:d=4 hl=2 l= 13 cons: SEQUENCE
85:d=5 hl=2 l= 3 prim: OBJECT :organizationName
90:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
98:d=3 hl=2 l= 15 cons: SET
100:d=4 hl=2 l= 13 cons: SEQUENCE
102:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
107:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
115:d=3 hl=2 l= 15 cons: SET
117:d=4 hl=2 l= 13 cons: SEQUENCE
119:d=5 hl=2 l= 3 prim: OBJECT :commonName
124:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
132:d=3 hl=2 l= 33 cons: SET
134:d=4 hl=2 l= 31 cons: SEQUENCE
136:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
147:d=5 hl=2 l= 18 prim: IA5STRING :sam...@example.com
167:d=2 hl=2 l= 30 cons: SEQUENCE
169:d=3 hl=2 l= 13 prim: UTCTIME :170526140200Z
184:d=3 hl=2 l= 13 prim: UTCTIME :180526140200Z
199:d=2 hl=3 l= 133 cons: SEQUENCE
202:d=3 hl=2 l= 11 cons: SET
204:d=4 hl=2 l= 9 cons: SEQUENCE
206:d=5 hl=2 l= 3 prim: OBJECT :countryName
211:d=5 hl=2 l= 2 prim: PRINTABLESTRING :DE
215:d=3 hl=2 l= 15 cons: SET
217:d=4 hl=2 l= 13 cons: SEQUENCE
219:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
224:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
232:d=3 hl=2 l= 15 cons: SET
234:d=4 hl=2 l= 13 cons: SEQUENCE
236:d=5 hl=2 l= 3 prim: OBJECT :localityName
241:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
249:d=3 hl=2 l= 15 cons: SET
251:d=4 hl=2 l= 13 cons: SEQUENCE
253:d=5 hl=2 l= 3 prim: OBJECT :organizationName
258:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
266:d=3 hl=2 l= 15 cons: SET
268:d=4 hl=2 l= 13 cons: SEQUENCE
270:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
275:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
283:d=3 hl=2 l= 15 cons: SET
285:d=4 hl=2 l= 13 cons: SEQUENCE
287:d=5 hl=2 l= 3 prim: OBJECT :commonName
292:d=5 hl=2 l= 6 prim: PRINTABLESTRING :sample
300:d=3 hl=2 l= 33 cons: SET
302:d=4 hl=2 l= 31 cons: SEQUENCE
304:d=5 hl=2 l= 9 prim: OBJECT :emailAddress
315:d=5 hl=2 l= 18 prim: IA5STRING :sam...@example.com
335:d=2 hl=4 l= 290 cons: SEQUENCE
339:d=3 hl=2 l= 13 cons: SEQUENCE
341:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
352:d=4 hl=2 l= 0 prim: NULL
354:d=3 hl=4 l= 271 prim: BIT STRING
629:d=1 hl=2 l= 13 cons: SEQUENCE
631:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
642:d=2 hl=2 l= 0 prim: NULL
644:d=1 hl=4 l= 257 prim: BIT STRING
This affects signing certificate requests, for example. Using the
option "match" a PRINTABLESTRING doesn't match an UTF8STRING, even
if they look the same.
Of course UTF8-only can be set in the options, but IMHO xca should
create valid certificates by default.
Regards
Harri
