On Thu, Nov 19, 2009, Shaw Graham George wrote: > Thanks Steve, > > >> OpenSSL will *NOT* however do what happens above with the C (Country) > field. > >> That is a two character code and only PrintableString (a restricted > version of > >> ASCII) characters are permitted. Doing anything else violates several > standards. > > That's interesting, considering that this example certificate was sent > to us by one of our customers, and appears to be issued by the Guandong > Certificate Authority (GDCA), which is presumably a live CA ... > > Is that possible - that a real CA can violate the standards like this? > Or is this just like Microsoft breaking standards - you just have to > live with it? >
There are many implementations that violate standards all over the place. The trick sometimes is to try to live with them without doing so insecurely. Could you send me a sample certificate like that btw? I'll check it out. It might be doing something weirder like putting Unicode into a PrintableString. > BTW, the "rogue" example certificate seems OK when used as an input to > other openssl functions ... E.g. openssl smime. > > But putting the country name to one side, what about the other data > elements? I understand the UTF-8 input is possible in openssl. Is what > you're saying that it's only UTF-8 that is possible, so if I want > Unicode input, then I have to find another solution. > What I'm saying is that you input characters using UTF8 or can do so in a config file. Terminals often have a UTF8 mode which does this automatically. One the data is in OpenSSL it can decide to translate them into BMPStrings (Unicode near enough) internally. That btw is just what the command line utilities do. The APIs are rather more flexible. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org