Re: [openssl-dev] [openssl.org #3026] Possible BUG in OpenSSL 1.0.1c regarding string types

Thu, 28 Mar 2013 06:48:58 -0700 

The countryName field is a PrintableString, that's mandatory (see X.520).
It also MUST be 2 characters long, but that's not enforced by OpenSSL.

-- 
Erwann ABALEA

Le 28/03/2013 14:33, Joseba Gil Irisarri via RT a écrit :
> Hello,
>
> I´m using OpenSSL 1.0.1c as a CA to sign a corporate certificate. OpenSSL is 
> configured as follows:
>
> # This sets a mask for permitted string types. There are several options.
> # default: PrintableString, T61String, BMPString.
> # pkix         : PrintableString, BMPString (PKIX recommendation before 2004)
> # utf8only: only UTF8Strings (PKIX recommendation after 2004).
> # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
> # MASK:XXXX a literal mask value.
> # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
> string_mask = utf8only
>
> All the strings that my certificate contains are UTF8String, but when trying 
> to sign it with OpenSSL CA, it returns the following mismatch error:
>
> The countryName field needed to be the same in the CA certificate <DE> and 
> the request <DE>
>
> When parsing the OpenSSL CA certificate, I found out the countryName field is 
> coded as PrintableString, while in my certificate is coded as UTF8String, 
> hence the error. The rest of the string fields are coded as UTF8String in 
> both the CA certificate and the request.
>
> My question here is, if OpenSSL string_mask is configured as utf8only, why is 
> the countryName field coded as PrintableString? Shouldn´t all fields be coded 
> as UTF8String? Perhaps I misunderstood the meaning and use of the 
> string_mask, so I would greatly appreciate if you could explain to me whether 
> this is a bug or just correct behaviour.
>
> Thanks a lot in advance for your help.
>
> Best regards,
> Joseba Gil
>                                       
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to