Re: openssl-user - UTF8 characters in configuration file
Viktor and others, thanks for the tips. I found that by using OpenSSL 1.0.1e I've been able to create the UTF8 format fields, such as: 71:d=5 hl=2 l= 3 prim: OBJECT:commonName 76:d=5 hl=2 l= 6 prim: UTF8STRING:Róót However, creating the subjectAltName is not following the same pattern. In the "root_dir_sect" I've assigned CN (and a custom OID) to the same value I've assigned to commonName in "root_ca_distinguished_name": [ new_oid_section ] myOIDSN = myOIDLongName, 1.2.3.4 [ root_ca_distinguished_name ] countryName = US stateOrProvinceName = MA commonName = Róót emailAddress= r...@abc.com organizationName= abc [ root_ca_extensions ] basicConstraints= CA:true subjectAltName = email:copy,URI: http://xyz.com.test/,dirName:root_dir_sect# [ root_dir_sect ] C = us O = abc OU = orgUnit CN = Róót 1.2.3.4 = Róót Using an ASN1 parsing tool I found that the commonName in Subject contains the C3B3 (accented o) I expected. However within subjectAltName, the dirName field the value is expanded to C3+83C2+B3 for each occurrence of "accented o". CN=Róót, 2.3.4=Róót I must have also assigned the custom OID incorrectly as the preceding 1. is truncated. Any comments are greatly appreciated. Thanks John Rasmussen IBM DataPower From: Viktor Dukhovni To: openssl-users@openssl.org, Date: 03/15/2013 12:06 PM Subject:Re: openssl-user - UTF8 characters in configuration file Sent by:owner-openssl-us...@openssl.org On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej??k wrote: > I tried this some 2yrs ago what seemed to work (at least wins showed the > strings in cert correctly) > > in > [ req ] > ... > distinguished_name = req_distinguished_name > attributes = req_attributes > string_mask = utf8only > utf8 = yes FWIW with OpenSSL 1.0.1e just "string_mask" is sufficient, but "utf8" is neither sufficient nor necessary. $ cat foo.cnf [ req ] distinguished_name = dn prompt = no string_mask = utf8only [ dn ] countryName = US stateOrProvinceName = New York localityName= New York organizationName= Example Corp commonName = mail.example.com [ v3_req ] extendedKeyUsage= serverAuth, clientAuth $ openssl req -new -config foo.cnf -reqexts v3_req -key key.pem | openssl asn1parse 0:d=0 hl=4 l= 335 cons: SEQUENCE 4:d=1 hl=3 l= 247 cons: SEQUENCE 7:d=2 hl=2 l= 1 prim: INTEGER :00 10:d=2 hl=2 l= 101 cons: SEQUENCE 12:d=3 hl=2 l= 11 cons: SET 14:d=4 hl=2 l= 9 cons: SEQUENCE 16:d=5 hl=2 l= 3 prim: OBJECT:countryName 21:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 25:d=3 hl=2 l= 17 cons: SET 27:d=4 hl=2 l= 15 cons: SEQUENCE 29:d=5 hl=2 l= 3 prim: OBJECT:stateOrProvinceName 34:d=5 hl=2 l= 8 prim: UTF8STRING:New York 44:d=3 hl=2 l= 17 cons: SET 46:d=4 hl=2 l= 15 cons: SEQUENCE 48:d=5 hl=2 l= 3 prim: OBJECT:localityName 53:d=5 hl=2 l= 8 prim: UTF8STRING:New York 63:d=3 hl=2 l= 21 cons: SET 65:d=4 hl=2 l= 19 cons: SEQUENCE 67:d=5 hl=2 l= 3 prim: OBJECT:organizationName 72:d=5 hl=2 l= 12 prim: UTF8STRING:Example Corp 86:d=3 hl=2 l= 25 cons: SET 88:d=4 hl=2 l= 23 cons: SEQUENCE 90:d=5 hl=2 l= 3 prim: OBJECT:commonName 95:d=5 hl=2 l= 16 prim: UTF8STRING:mail.example.com ... -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: openssl-user - UTF8 characters in configuration file
Hi Rich! Glad to hear from you and hope all is well! Thanks for the tip, but I haven't cracked this nut yet. I've tried several permutations of: - the UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM - the no UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -outform PEM - the utf8 = yes in [ req ] - the string_mask = utf8only - and visa versa I'd been using ASCII characters (still valid UTF), so I thought I'd use proper UTF and thus: commonName = Róót Which looks good in HEX (C3B3) = o with accent 5c0: 696f 6e73 0d0a 0d0a 5b20 726f 6f74 5f63 ions[ root_c 5d0: 615f 6469 7374 696e 6775 6973 6865 645f a_distinguished_ 5e0: 6e61 6d65 205d 0d0a 0d0a 636f 6d6d 6f6e name ]common 5f0: 4e61 6d65 2020 2020 2020 2020 2020 2020 Name 600: 2020 3d20 52c3 b3c3 b374 0d0a 7374 6174= Rt..stat 610: 654f 7250 726f 7669 6e63 654e 616d 6520 eOrProvinceName 620: 2020 2020 3d20 4d41 0d0a 636f 756e 7472 = MA..countr 630: 794e 616d 6520 2020 2020 2020 2020 2020 yName I also tried - commonName = UTF8:Róót - commonName = UTF8STRING:Róót - commonName = UTF8String:Róót And all seem to yield: 163:d=5 hl=2 l= 3 prim: OBJECT:commonName 168:d=5 hl=2 l= 4 prim: T61STRING :R▒▒t Which is a change from PRINTABLESTRING anyway. Still hoping to get this working. Cheers John From: "Salz, Rich" To: "openssl-users@openssl.org" , Cc: "owner-openssl-us...@openssl.org" Date: 03/14/2013 12:53 PM Subject:RE: openssl-user - UTF8 characters in configuration file Sent by:owner-openssl-us...@openssl.org Hi John! Looking at apps/req.c, it seems you want to use the –utf8 flag (or put utf8: yes in your conf file [req] section) and not prefix the string with an identifier. -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: openssl-user - UTF8 characters in configuration file
Hi Walter, Thanks for that, but I have tried those options also, I must be missing something else? commonName = UTF8String:Root 45:d=5 hl=2 l= 3 prim: OBJECT:commonName 50:d=5 hl=2 l= 15 prim: PRINTABLESTRING :UTF8String:Root commonName = UTF8:Root 168:d=5 hl=2 l= 3 prim: OBJECT:commonName 173:d=5 hl=2 l= 9 prim: PRINTABLESTRING :UTF8:Root From: "Walter H." To: openssl-users@openssl.org, Cc: rasmu...@us.ibm.com Date: 03/14/2013 12:32 PM Subject:Re: openssl-user - UTF8 characters in configuration file Sent by:owner-openssl-us...@openssl.org Hello John, I had the same problem; the solution is just: UTF8String or UTF8 and not UTF8STRING Walter On 14.03.2013 17:06, rasmu...@us.ibm.com wrote: I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields. string_mask = utf8only prompt = no [ req ] default_bits= 2048 default_keyfile = /opt/rasmussjCa/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = UTF8STRING:Root stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc When I use "commonName = UTF8STRING:Root", I am getting a format=PRINTABLESTRING containing the "UTF8STRING:Root" value 45:d=5 hl=2 l= 3 prim: OBJECT:commonName 50:d=5 hl=2 l= 15 prim: PRINTABLESTRING :UTF8STRING:Root Not a UTF8STRING format as I'm expecting such as this ... 108:d=5 hl=2 l= 3 prim: OBJECT:commonName 113:d=5 hl=2 l= 23 prim: UTF8STRING:XX In addition to "string_mask = utf8", I've also tried the -utf8 option on the req with the same results: openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM +++ In addition when I try to assign a policy "root_commonName" to the commonName field commonName = root_commonName stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc [ root_commonName ] commonName = UTF8STRING:Root I am am just getting the "root_commonName" policy assigned to the field rather than the "UTF8STRING:Root" value assigned within the policy 174:d=5 hl=2 l= 3 prim: OBJECT:commonName 179:d=5 hl=2 l= 15 prim: T61STRING :root_commonName Any comments are greatly appreciated. Thanks John
openssl-user - UTF8 characters in configuration file
I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields. string_mask = utf8only prompt = no [ req ] default_bits= 2048 default_keyfile = /opt/rasmussjCa/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = UTF8STRING:Root stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc When I use "commonName = UTF8STRING:Root", I am getting a format=PRINTABLESTRING containing the "UTF8STRING:Root" value 45:d=5 hl=2 l= 3 prim: OBJECT:commonName 50:d=5 hl=2 l= 15 prim: PRINTABLESTRING :UTF8STRING:Root Not a UTF8STRING format as I'm expecting such as this ... 108:d=5 hl=2 l= 3 prim: OBJECT:commonName 113:d=5 hl=2 l= 23 prim: UTF8STRING:XX In addition to "string_mask = utf8", I've also tried the -utf8 option on the req with the same results: openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM +++ In addition when I try to assign a policy "root_commonName" to the commonName field commonName = root_commonName stateOrProvinceName = MA countryName = US emailAddress= r...@abc.com organizationName= abc [ root_commonName ] commonName = UTF8STRING:Root I am am just getting the "root_commonName" policy assigned to the field rather than the "UTF8STRING:Root" value assigned within the policy 174:d=5 hl=2 l= 3 prim: OBJECT:commonName 179:d=5 hl=2 l= 15 prim: T61STRING :root_commonName Any comments are greatly appreciated. Thanks John