Re: [openssl-dev] [openssl.org #3026] Possible BUG in OpenSSL 1.0.1c regarding string types

Thu, 28 Mar 2013 06:47:43 -0700 

The countryName field is a PrintableString, that's mandatory (see X.520).
It also MUST be 2 characters long, but that's not enforced by OpenSSL.

--
Erwann ABALEA

Le 28/03/2013 14:33, Joseba Gil Irisarri via RT a écrit :

Hello,

I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate. OpenSSL is 
configured as follows:

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

All the strings that my certificate contains are UTF8String, but when trying to 
sign it with OpenSSL CA, it returns the following mismatch error:

The countryName field needed to be the same in the CA certificate <DE> and the 
request <DE>

When parsing the OpenSSL CA certificate, I found out the countryName field is 
coded as PrintableString, while in my certificate is coded as UTF8String, hence 
the error. The rest of the string fields are coded as UTF8String in both the CA 
certificate and the request.

My question here is, if OpenSSL string_mask is configured as utf8only, why is 
the countryName field coded as PrintableString? Shouldn´t all fields be coded 
as UTF8String? Perhaps I misunderstood the meaning and use of the string_mask, 
so I would greatly appreciate if you could explain to me whether this is a bug 
or just correct behaviour.

Thanks a lot in advance for your help.

Best regards,
Joseba Gil
                                        
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to