strange results after setting utf8 -subj in "openssl ca" command

Sat, 28 Jul 2012 11:41:51 -0700 


My application uses X.509 certificates with commonName field set to following 
format:

number#UserName,

for example

12345#JohnSmith

Everything is ok when UserName is in ascii, but when I sign new certificates 
using this command, for example:

openssl ca -config ca_config.txt  -subj "/CN=30000#тестტესტ中国" -utf8 -batch 
-notext -out 30000.pem -in /tmp/CSR-file

and subject contains non-ASCII characters in UTF-8 encoding, the resulting 
certificate's CN looks this way:

$ openssl x509 -in 30000.pem -subject  -noout

subject= 
/CN=\x003\x000\x000\x000\x000\x00#\x04B\x045\x04A\x04B\x10\xE2\x10\xD4\x10\xE1\x10\xE2N-V\xFD

Looks like string "30000" is literally encoded as a sequence of bytes with 
corresponding decimal values, not as sequence of ASCII codes for characters 
"3", "0", "0",...
After adding -nameopt oneline,-esc_msb,utf8 result looks fine

$ openssl x509 -in 0/0_cert.pem -subject -nameopt oneline,-esc_msb,utf8 -noout

subject= CN = 30000#тестტესტ中国


I call X509_NAME_oneline() function inside my application to get CN string, and 
application fails to convert number from CN field to integer, because 
X509_NAME_oneline() returns "/CN=\x003\x000\x000\x000\x000\x00#" instead of 
"CN=30000#...".

Probably I should use X509_NAME_print_ex(),

but I have doubts if this string encoding is correct and how it would work with 
other software. For example, certtool from GnuTLS outputs subject string in 
this way:
$ certtool -i --infile 30000.pem

...skipped...

        Subject: 
CN=#003300300030003000300023044204350441044210e210d410e110e24e2d56fd
...skipped...

There are no such problems in "openssl req", I can set UTF8 strings with 
numbers in certificate requests and resulting certificate is ok for me, but I 
need to ignore subject from certificate requests and set my own value


Is it possible to fix "openssl ca" command somehow to encode numbers in UTF8 
strings as strings, not numbers?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to