Victor Duchovni <[EMAIL PROTECTED]> writes:

>It took reading the code to determine the following:
>    - ASN.1 Strings extracted from X.509v3 certs are not validated for
>    conformance with the declared character syntax. Strings of type
>    PrintableString or IA5String may hold non-printable or non-ASCII
>    data.

Just a word in OpenSSL's defence, see the X.509 Style Guide for the reasoning
behind this.  I don't think any ASN.1-using security toolkit since TIPEM has
done character-set checking, it would fail to verify a large chunk of the
certs out there (I once had a TIPEM user complain to me that they had to stop
using it specifically because it would reject invalid character strings, which
encompassed a nontrivial portion of their user base).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to