On Tue, Nov 18, 2003, Alex Marandon wrote: > On Mon, Nov 17, 2003 at 07:34:46PM +0100, Dr. Stephen Henson wrote: > > On Mon, Nov 17, 2003, Alex Marandon wrote: > [...] > > > With messages produced by openssl itself or, for example, Outlook > > > Express, X509_NAME_ENTRY's are viewed by OpenSSL as being of the > > > V_ASN1_PRINTABLESTRING type, even if they have latin characters. But > > > with with the particular application I'm dealing with, entries with > > > latin characters are viewed as being of the V_ASN1_T61STRING type by > > > OpenSSL. Consequently, X509_NAME_cmp()'s type comparison fails, because > > > openssl find V_ASN1_PRINTABLESTRING in the local certificate and > > > V_ASN1_T61STRING in the provides message. > [...] > > Hello, > > I'm afraid I'm lacking some knowledge to understand your answer well. > I ask more questions to understand better. > > > X509_NAME_cmp() doesn't have anything to do with the message content as such > > its associated with the certificate matching code which finds the appropriate > > recipient certificate. > > Ok. > > > The PrintableString types does *not* permits latin characters in fact it has a > > very limited character range (excluding characters such as '@'). OpenSSL > > should never produce latin characters in PrintableStrings > > Hum...does it mean that it's forbidden to have latin characters in > subjectName ? >
No. The subjectName (or issuerName) can use one of various string types. The PrintableString only allows a very limited range of characters. The T61String allows a wider range of characters but it uses a complex character shifting mechanism and many client use straight ISO8859-1 instead. There are two better types which can be used which are BMPString which is Unicode and UTF8String which is UTF8 encoded Unicode. But some older software doesn't understand them. > > > On top of that it looks broken in that it doesn't correctly include the issuer > > name in the PKCS#7 structure. > > Oh...well I don't know how to print the issuer included in a PKCS#7 > structure. > There isn't a function as such but you can see the individial ASN1 types using openssl smime -pk7out -in smime.message | openssl asn1parse > > The only really safe way to do this is to copy the Name structure > > verbatim. > > Copy it where ? > OK let me explain a bit. With PKCS#7 envelopedData there is an identifier which allows a client to find the correct recipient certificate. This identifier consists of the recipient certificates issuer name and serial number. OpenSSL performs a search where attempts to match the each recipient in the PKCS#7 structure against the supplied certificate. The software that produces the message should copy the issuer name and serial number of the recipients certificate into the PKCS#7 structure. [analyses message you sent me] Its here that the problem lies. The S/MIME software that you are using is not copying the issuer name correctly meaning that the version in the PKCS#7 structure does not match that in the recipients certificate. In fact it is taking the T61String and making it a PrintableString and using characters that are illegal in a PrintableString in the process. In other words the S/MIME client that produced that message is broken. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
