Re: UTF8 in certificate DN via OpenSSL's x.509 API

Thu, 16 Jul 2009 15:58:40 -0700 

Thor Lancelot Simon wrote:

Can I assume that any data returned when I access the DN of a peer's
certificate using OpenSSL are ASCII or UTF8?  If not, how do I tell
the difference?

I think I understand that DNs not encoded as UTF8String should not
have high-bit characters in them -- so if I do this:

X509_NAME_oneline(X509_get_subject_name(peer), buf, BUFSIZ), suffix)

I should be able to tell any application using the data that the
character set for the data is UTF8, or, if I don't find any Unicode
sequences in it, ASCII.  Is that right?  I don't see a way to find
out what ASN.1 type X509_get_subject_name actually fetched the data
from...
X509_NAME_oneline is too coarse for getting this info; if you actually need to know then you should use the other APIs: 

X509_NAME *name;
X509_NAME_ENTRY *ne;
ASN1_OBJECT *obj;
ASN1_STRING *str;

ne = X509_NAME_get_entry( name, i );
obj = X509_NAME_ENTRY_get_object( ne );
str = X509_NAME_ENTRY_get_data( ne );

switch (str->type) {
        case V_ASN1_UNIVERSALSTRING:
            /* This uses 32-bit ISO 10646-1 */
            csize = 4; goto to_utf8;
        case V_ASN1_BMPSTRING:
            /* This uses 16-bit ISO 10646-1 */
            csize = 2; goto to_utf8;
        case V_ASN1_T61STRING:
            /* This uses 8-bit, assume ISO 8859-1 */
            csize = 1;
to_utf8:        rc = ldap_ucs_to_utf8s( &Val, csize, &newAVA->la_value );
            newAVA->la_flags |= LDAP_AVA_FREE_VALUE;
            if (rc != LDAP_SUCCESS) goto nomem;
            newAVA->la_flags = LDAP_AVA_NONPRINTABLE;
            break;
        case V_ASN1_UTF8STRING:
            newAVA->la_flags = LDAP_AVA_NONPRINTABLE;
            /* This is already in UTF-8 encoding */
        case V_ASN1_IA5STRING:
        case V_ASN1_PRINTABLESTRING:
            /* These are always 7-bit strings */
            newAVA->la_value = Val;
        default:
}
You can see the full working example of this code in this older code from OpenLDAP 2.3: 

http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/getdn.c.diff?r1=1.136&r2=1.137&hideattic=1&sortbydate=0&f=h


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to