Hello, On Tue, Apr 23, 2019 at 12:21 AM Dmitry Belyavsky <beld...@gmail.com> wrote:
> Dear Victor, > > On Mon, Apr 22, 2019 at 9:23 PM Viktor Dukhovni < > openssl-us...@dukhovni.org> wrote: > >> On Sun, Apr 21, 2019 at 06:58:53PM +0300, Dmitry Belyavsky wrote: >> >> > When I use a command >> > >> > openssl asn1parse -genstr "UTF8String:ф" -out content >> > >> > I get a 6-byte file. If I understand correctly, it starts with a 2-byte >> > header indicating the content length and then contains an encoded letter >> > 'ф' I want. But the encoding of it is not UTF8, as the utf8 encoding of >> a >> > cyrillic letter is 2 bytes long. >> > >> > Am I wrong? If the behavior I see is desired one, how can I convert the >> > result of the encoding to UTF8 using openssl internal API? >> >> By default the input string is assumed to contain single-byte octets, >> which are individually encoded as UTF-8. This is rarely what you >> want if your input is not ASCII. For actual UTF-8 input, you can >> use: >> >> $ openssl asn1parse -out content -genstr 'FORMAT:UTF8,UTF8String:Он >> врет! Он не знает, КАК НАДО!' # [1] >> 0:d=0 hl=2 l= 53 prim: UTF8STRING :Он врет! Он не знает, >> КАК НАДО! >> >> The "genstr" format is described in, for example: >> >> https://www.openssl.org/docs/man1.0.2/man3/ASN1_generate_nconf.html > > > Thank you very much for your answer and especially for a brilliant example > :) > > I'm trying to implement RFC 8398 and I try to create a valid certificate > with EAI email in otherName. > > I expected that a line in the config file > > subjectAltName=otherName:1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8:医生@ > 大学.example.com <http://xn--pss25c.example.com> > > will do the trick. > But I get an error > 140642093051968:error:0D0B20C2:asn1 encoding > routines:ASN1_generate_v3:unknown tag:../crypto/asn1/asn1_gen.c:94: > 140642093051968:error:220A4093:X509 V3 routines:a2i_GENERAL_NAME:othername > error:../crypto/x509v3/v3_alt.c:456: > 140642093051968:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in > extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, > value=otherName:1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8:医生@大学.example.com > <http://xn--pss25c.example.com> > > If I specify the otherName like > subjectAltName=otherName:1.3.6.1.5.5.7.8.9;UTF8:医生@大学.example.com > <http://xn--pss25c.example.com> > > I do not get an error, but the encoding seems to be not UTF8, but ASCII. > Can this behavior be fixed? > I've got the clue. The config string is passed to the X509V3_parse_list() function, which treats comma as a separator, so the rest of the line is cut, and it causes an error. I've done a quick-and-dirty patch for my purposes that enforces FORMAT:UTF8 for SMTPUTF8 and succeeded. > > >> >> -- >> Viktor. >> >> [1]. http://www.mnemosyne.ru/homo/galich-6.html >> > > > -- > SY, Dmitry Belyavsky > -- SY, Dmitry Belyavsky
