Re: How can I add 8-bit charset/unicode strings to certs?
On Wed, Nov 13, 2002 at 09:35:47AM +0100, Karl-Michael Werzowa wrote: letters, etc. (If you use an Ö or Ä it may be easy, but what about hungarian, slovak, croatian characters? How to type these? Do you know the possible transcripts?) The best way seems to be to have an ascii transcript and the full BMPString in LDAP and certificates. Don't get me started! :-) As it is, we're talking about Microsoft Active Directory LDAP here - so I need to find out just what that is from a charset point of view. I mean, M$ make a big thing over Unicode - but the LDAP data certainly isn't Unicode. In fact, from what I can find off Google, LDAP (include AD) uses ISO-10646 - which is a superset of Unicode. Apparently all standard ASCII chars stay the same, and the rest are converted into the double-byte Unicode. However, I'm definitely getting ASCII-8bit chars out of LDAP - so I don't know what the hell's going on :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
At 11:42 14.11.2002 +1300, you wrote: On Wed, Nov 13, 2002 at 09:35:47AM +0100, Karl-Michael Werzowa wrote: letters, etc. (If you use an Ö or Ä it may be easy, but what about hungarian, slovak, croatian characters? How to type these? Do you know the possible transcripts?) The best way seems to be to have an ascii transcript and the full BMPString in LDAP and certificates. Don't get me started! :-) As it is, we're talking about Microsoft Active Directory LDAP here - so I need to find out just what that is from a charset point of view. I mean, M$ make a big thing over Unicode - but the LDAP data certainly isn't Unicode. In fact, from what I can find off Google, LDAP (include AD) uses ISO-10646 - which is a superset of Unicode. Apparently all standard ASCII chars stay the same, and the rest are converted into the double-byte Unicode. However, I'm definitely getting ASCII-8bit chars out of LDAP - so I don't know what the hell's going on :-) -- Cheers Jason Haar LDAP normally uses UTF-8, which is a way to encode iso-10646 characters. 7bit ascii looks the same in utf-8 and ascii, but higher up the charset the encoding takes 2 (in case of a simple Ö) to 6 characters. And that works. I have a CA with an ö in its name, and I can fetch its CRL from LDAP without problems. One hint: Your LDAP server might behave differently depending on the client's version number. Do you use version 3? See RFC2553. Jörn (Guess why there is an ö in my CA certificate) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
Hi, Jason! Some input, maybe it helps: To my understanding, UTF8 would encode Ö as \xc3\x96 and Ä as \xc3\x84 D6 is 214 is the position in ISO8859-1 of the Ouml (Ö). So, LDAP exported iso8859-1 (or so) I suppose, and not UTF8. (with Mozilla it could be that you use some non-iso translation) Best regards, Michael Am 2002-11-12 4:51 Uhr schrieb Jason Haar unter [EMAIL PROTECTED]: Hi there I want to generate certs from our internal LDAP server. We have people from all over the world here, and so some of these entries have 8bit chars in their names (shock! horror!) Now I went off and generated a cert for one Frank Österberg (that's an O with two dots on top), and when I vi the PEM afterwards I see \xD6sterberg. However, under Mozilla Import, the name shows up as A?sterberg (the A has two dots on top) - not the same thing. Is this an issue with the Unix (Linux BTW) system doing some ISO charset, but Openssl expecting unicode? If so, what is the correct way to do this? Thanks in advance for any help - my poor ASCII brain is feeling overwhelmed :-) -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
At 16:51 12.11.2002 +1300, you wrote: Hi there I want to generate certs from our internal LDAP server. We have people from all over the world here, and so some of these entries have 8bit chars in their names (shock! horror!) Now I went off and generated a cert for one Frank Österberg (that's an O with two dots on top), and when I vi the PEM afterwards I see \xD6sterberg. However, under Mozilla Import, the name shows up as A?sterberg (the A has two dots on top) - not the same thing. Is this an issue with the Unix (Linux BTW) system doing some ISO charset, but Openssl expecting unicode? If so, what is the correct way to do this? Thanks in advance for any help - my poor ASCII brain is feeling overwhelmed :-) -- Cheers Jason Haar You didn't exactly specify whether your problem is with LDAP or with Certificates. With certificates, Each RDN (that's a relative distinguished name, like C=DE) may can encoded in a number of encoding. C=DE would be probably PRINTABLE-STRING. Other popular ones are IA5/7bitASCII, T61/TELETEX, BMP/UCS-2 or UTF8. In T61, an Ö (0x00D6) would be 0xc8 0x4F. In BMP it would be 0x00 0xD6. In UTF8, it would be 0xc3 0x96. Problem is, I don't know any encoding that would translate an Ö (unicode 0x00D6) into \xD6. Really. the ANSI or Latin-1 or whatever you want to call it is not a featured charset in certificate encoding. So. Your certificate is wrong. With LDAP, charsets are even worse. Read some RFCs. ww.rfc-editor.org has a search engine, type LDAP. To find out what encoding your \xD6sterberg is, check the two bytes before it. the 1st would be the type, then the length. Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
At 16:51 12.11.2002 +1300, you wrote: Now I went off and generated a cert for one Frank Österberg (that's an O with two dots on top), and when I vi the PEM afterwards I see \xD6sterberg. Run your PEM through openssl asn1parse -dump -in myfile.pem That will display the encoding. Post the result (just your funny string, not the entire cert dump) here to get more help. Jörn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
On Tue, Nov 12, 2002, Jason Haar wrote: Hi there I want to generate certs from our internal LDAP server. We have people from all over the world here, and so some of these entries have 8bit chars in their names (shock! horror!) Now I went off and generated a cert for one Frank Österberg (that's an O with two dots on top), and when I vi the PEM afterwards I see \xD6sterberg. However, under Mozilla Import, the name shows up as A?sterberg (the A has two dots on top) - not the same thing. Is this an issue with the Unix (Linux BTW) system doing some ISO charset, but Openssl expecting unicode? If so, what is the correct way to do this? Thanks in advance for any help - my poor ASCII brain is feeling overwhelmed :-) This is an alighty can of worms... If you want to use OpenSSL to generate these things you can mess around with the config files to accept input as UTF8 and you have to arrange the terminal to output UTF8 sequences, or whatever method you use. However there are lots of different ways of encoding these things in certificates. The correct way is to use a BMPString or better still UTF8String. However some software will not handle this properly, in particular some versions of Netscape without PSM will crash horribly if they see such things in a certificate and some vesions of MSIE don't display UTF8Strings IIRC. MSIE and Netscape may display these things if they are included in a T61String. However they don't use the T61String encoding but instead interpret it as ISO8859-1: or at least they do on my system, it may just be using the local character set. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
On Tue, Nov 12, 2002 at 02:02:33PM +0100, Dr. Stephen Henson wrote: This is an alighty can of worms... If you want to use OpenSSL to generate these things you can mess around with the config files to accept input as UTF8 and you have to arrange the terminal to output UTF8 sequences, or whatever method you use. ... Interesting responses. Does this actually imply that PKI's in general don't support non-ASCII well, or is this specifically an integration issue I'm facing as I'm pulling data out of one system (LDAP) and injecting it into OpenSSL? I mean, how do commercial packages handle non-ASCII? e.g. Microsoft CA? The reality is that I am pulling user details out of an Active Directory LDAP environment, and want to generate certs. Supposedly this all works under M$ CA integrated with Active Directory - of course Active Directory could be supplying such details in Unicode to M$ CA whereas it shows up as a ASCII-8bit charset via LDAP... Would a good plan be to: 1. find out what charset LDAP returns in 2. find a way to translate those strings into unicode 3. feed the result into OpenSSL with string_mask=utf8only ? I see there's a warning saying that utf8only can crash some versions of Netscape, but only the people with 8bit names are going to ever see these certs anyway, and if their browser crashes on it, well - that's there problem :-) Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I add 8-bit charset/unicode strings to certs?
On Wed, Nov 13, 2002 at 09:20:51AM +1300, Jason Haar wrote: 1. find out what charset LDAP returns in 2. find a way to translate those strings into unicode 3. feed the result into OpenSSL with string_mask=utf8only Actually, it wasn't as hard as all that. Instead I set string_mask=pkix and regenerated the cert. Now both Mozilla 1.1 and IE 5.0 correctly see the O-umlaut. [currently we don't appear to have anyone with Kanji names, so I'll forget about that fight until later! ;-)] Thanks for your help. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]