openssl-user - UTF8 characters in configuration file

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl-user - UTF8 characters in configuration file

rasmussj
I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields.

string_mask             = utf8only
prompt                  = no

[ req ]

default_bits            = 2048
default_keyfile         = /opt/rasmussjCa/private/cakey.pem
default_md              = md5
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

[ root_ca_distinguished_name ]

commonName              = UTF8STRING:Root
stateOrProvinceName     = MA
countryName             = US
emailAddress            = [hidden email]
organizationName        = abc

When I use "commonName  = UTF8STRING:Root", I am getting a format=PRINTABLESTRING containing the "UTF8STRING:Root" value

   45:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   50:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :UTF8STRING:Root

Not a UTF8STRING format as I'm expecting such as this ...

  108:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  113:d=5  hl=2 l=  23 prim: UTF8STRING        :XXXXXXXXXX

In addition to "string_mask = utf8", I've also tried the -utf8 option on the req with the same results:

openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM

+++

In addition when I try to assign a policy "root_commonName" to the commonName field

commonName              = root_commonName
stateOrProvinceName     = MA
countryName             = US
emailAddress            = [hidden email]
organizationName        = abc

[ root_commonName ]

commonName              = UTF8STRING:Root

I am am just getting the "root_commonName" policy assigned to the field rather than the "UTF8STRING:Root" value assigned within the policy

  174:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  179:d=5  hl=2 l=  15 prim: T61STRING         :root_commonName

Any comments are greatly appreciated.

Thanks

John
Reply | Threaded
Open this post in threaded view
|

Re: openssl-user - UTF8 characters in configuration file

Walter H.
Hello John,

I had the same problem; the solution is just:

UTF8String or UTF8 and not UTF8STRING

Walter

On 14.03.2013 17:06, [hidden email] wrote:
I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields.

string_mask             = utf8only
prompt                  = no

[ req ]

default_bits            = 2048
default_keyfile         = /opt/rasmussjCa/private/cakey.pem
default_md              = md5
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

[ root_ca_distinguished_name ]

commonName              = UTF8STRING:Root
stateOrProvinceName     = MA
countryName             = US
emailAddress            = [hidden email]
organizationName        = abc

When I use "commonName  = UTF8STRING:Root", I am getting a format=PRINTABLESTRING containing the "UTF8STRING:Root" value

   45:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   50:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :UTF8STRING:Root

Not a UTF8STRING format as I'm expecting such as this ...

  108:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  113:d=5  hl=2 l=  23 prim: UTF8STRING        :XXXXXXXXXX

In addition to "string_mask = utf8", I've also tried the -utf8 option on the req with the same results:

openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM

+++

In addition when I try to assign a policy "root_commonName" to the commonName field

commonName              = root_commonName
stateOrProvinceName     = MA
countryName             = US
emailAddress            = [hidden email]
organizationName        = abc

[ root_commonName ]

commonName              = UTF8STRING:Root

I am am just getting the "root_commonName" policy assigned to the field rather than the "UTF8STRING:Root" value assigned within the policy

  174:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  179:d=5  hl=2 l=  15 prim: T61STRING         :root_commonName

Any comments are greatly appreciated.

Thanks

John


smime.p7s (12K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: openssl-user - UTF8 characters in configuration file

rasmussj
Hi Walter,

Thanks for that, but I have tried those options also, I must be missing something else?

commonName              = UTF8String:Root

   45:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   50:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :UTF8String:Root

commonName              = UTF8:Root

  168:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  173:d=5  hl=2 l=   9 prim: PRINTABLESTRING   :UTF8:Root






From:        "Walter H." <[hidden email]>
To:        [hidden email],
Cc:        [hidden email]
Date:        03/14/2013 12:32 PM
Subject:        Re: openssl-user - UTF8 characters in configuration file
Sent by:        [hidden email]




Hello John,

I had the same problem; the solution is just:

UTF8String or UTF8 and not UTF8STRING

Walter

On 14.03.2013 17:06,
rasmussj@... wrote:
I'm using the following configuration file section in an attempt to create a CA with UTF8 characters in subject (and other) fields.

string_mask             = utf8only
prompt                  = no

[ req ]

default_bits            = 2048
default_keyfile         = /opt/rasmussjCa/private/cakey.pem
default_md              = md5
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions

[ root_ca_distinguished_name ]

commonName              = UTF8STRING:Root
stateOrProvinceName     = MA
countryName             = US
emailAddress            =
Root@...
organizationName        = abc

When I use "commonName  = UTF8STRING:Root", I am getting a format=PRINTABLESTRING containing the "UTF8STRING:Root" value

  45:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  50:d=5  hl=2 l=  15 prim: PRINTABLESTRING   :UTF8STRING:Root

Not a UTF8STRING format as I'm expecting such as this ...

 108:d=5  hl=2 l=   3 prim: OBJECT            :commonName
 113:d=5  hl=2 l=  23 prim: UTF8STRING        :XXXXXXXXXX

In addition to "string_mask = utf8", I've also tried the -utf8 option on the req with the same results:

openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM

+++

In addition when I try to assign a policy "root_commonName" to the commonName field

commonName              = root_commonName
stateOrProvinceName     = MA
countryName             = US
emailAddress            =
Root@...
organizationName        = abc

[ root_commonName ]

commonName              = UTF8STRING:Root

I am am just getting the "root_commonName" policy assigned to the field rather than the "UTF8STRING:Root" value assigned within the policy

 174:d=5  hl=2 l=   3 prim: OBJECT            :commonName
 179:d=5  hl=2 l=  15 prim: T61STRING         :root_commonName

Any comments are greatly appreciated.

Thanks

John


Reply | Threaded
Open this post in threaded view
|

RE: openssl-user - UTF8 characters in configuration file

Salz, Rich

 

Hi John!

 

Looking at apps/req.c, it seems you want to use the –utf8 flag (or put utf8: yes in your conf file [req] section) and not prefix the string with an identifier.

 

-- 

Principal Security Engineer

Akamai Technology

Cambridge, MA

Reply | Threaded
Open this post in threaded view
|

RE: openssl-user - UTF8 characters in configuration file

rasmussj
Hi Rich!

Glad to hear from you and hope all is well!

Thanks for the tip, but I haven't cracked this nut yet. I've tried several permutations of:

- the UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -utf8 -outform PEM
- the no UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out rootcacert.pem -outform PEM
- the utf8 = yes in [ req ]
- the string_mask = utf8only
- and visa versa

I'd been using ASCII characters (still valid UTF), so I thought I'd use proper UTF and thus:

commonName              = Róót

Which looks good in HEX (C3B3) = o with accent

00005c0: 696f 6e73 0d0a 0d0a 5b20 726f 6f74 5f63  ions....[ root_c
00005d0: 615f 6469 7374 696e 6775 6973 6865 645f  a_distinguished_
00005e0: 6e61 6d65 205d 0d0a 0d0a 636f 6d6d 6f6e  name ]....common
00005f0: 4e61 6d65 2020 2020 2020 2020 2020 2020  Name
0000600: 2020 3d20 52c3 b3c3 b374 0d0a 7374 6174    = R....t..stat
0000610: 654f 7250 726f 7669 6e63 654e 616d 6520  eOrProvinceName
0000620: 2020 2020 3d20 4d41 0d0a 636f 756e 7472      = MA..countr
0000630: 794e 616d 6520 2020 2020 2020 2020 2020  yName

I also tried

- commonName              = UTF8:Róót
- commonName              = UTF8STRING:Róót
- commonName              = UTF8String:Róót

And all seem to yield:

  163:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  168:d=5  hl=2 l=   4 prim: T61STRING         :R▒▒t

Which is a change from PRINTABLESTRING anyway.

Still hoping to get this working.

Cheers

John







From:        "Salz, Rich" <[hidden email]>
To:        "[hidden email]" <[hidden email]>,
Cc:        "[hidden email]" <[hidden email]>
Date:        03/14/2013 12:53 PM
Subject:        RE: openssl-user - UTF8 characters in configuration file
Sent by:        [hidden email]




 
Hi John!
 
Looking at apps/req.c, it seems you want to use the –utf8 flag (or put utf8: yes in your conf file [req] section) and not prefix the string with an identifier.
 
--  
Principal Security Engineer
Akamai Technology
Cambridge, MA
Reply | Threaded
Open this post in threaded view
|

RE: openssl-user - UTF8 characters in configuration file

Zbyněk Krejčík
Hi,

I tried this some 2yrs ago what seemed to work (at least wins showed the
strings in cert correctly)

in
[ req ]
...
distinguished_name = req_distinguished_name
attributes = req_attributes
string_mask = utf8only
utf8 = yes
...
...
[ req_distinguished_name ]
...
localityName_value = Zádveřice
...

and commonName can either be defined in cfg file (commonName_value)
or it can be raed in from a file with the proper value (interactive cli input
didn't work for me then)
openssl req -config utf8configfile.cfg -new -nodes -utf8 -keyout
utf8key.pem -out utf8req.pem <utf8user.txt

Hope this helps

Zbynek

-----Original Message-----
From: [hidden email]
To: [hidden email]
Cc: "[hidden email]" <owner-openssl-
[hidden email]>
Date: Thu, 14 Mar 2013 15:35:42 -0400
Subject: RE: openssl-user - UTF8 characters in configuration file

> Hi Rich!
>
> Glad to hear from you and hope all is well!
>
> Thanks for the tip, but I haven't cracked this nut yet. I've tried several
> permutations of:
>
> - the UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out
> rootcacert.pem -utf8 -outform PEM
> - the no UTF8 flag on req - openssl req -x509 -newkey rsa:1024 -out
> rootcacert.pem -outform PEM
> - the utf8 = yes in [ req ]
> - the string_mask = utf8only
> - and visa versa
>
> I'd been using ASCII characters (still valid UTF), so I thought I'd use
> proper UTF and thus:
>
> commonName              = Róót
>
> Which looks good in HEX (C3B3) = o with accent
>
> 00005c0: 696f 6e73 0d0a 0d0a 5b20 726f 6f74 5f63  ions....[ root_c
> 00005d0: 615f 6469 7374 696e 6775 6973 6865 645f  a_distinguished_
> 00005e0: 6e61 6d65 205d 0d0a 0d0a 636f 6d6d 6f6e  
name ]....common
> 00005f0: 4e61 6d65 2020 2020 2020 2020 2020 2020  Name
> 0000600: 2020 3d20 52c3 b3c3 b374 0d0a 7374 6174    = R....t..stat
> 0000610: 654f 7250 726f 7669 6e63 654e 616d 6520  
eOrProvinceName

> 0000620: 2020 2020 3d20 4d41 0d0a 636f 756e 7472      = MA..countr
> 0000630: 794e 616d 6520 2020 2020 2020 2020 2020  yName
>
> I also tried
>
> - commonName              = UTF8:Róót
> - commonName              = UTF8STRING:Róót
> - commonName              = UTF8String:Róót
>
> And all seem to yield:
>
>   163:d=5  hl=2 l=   3 prim: OBJECT            :commonName
>   168:d=5  hl=2 l=   4 prim: T61STRING         :R▒▒t
>
> Which is a change from PRINTABLESTRING anyway.
>
> Still hoping to get this working.
>
> Cheers
>
> John
>
>
>
>
>
>
>
> From:   "Salz, Rich" <[hidden email]>
> To:     "[hidden email]" <[hidden email]>,
> Cc:     "[hidden email]"
> <[hidden email]>
> Date:   03/14/2013 12:53 PM
> Subject:        RE: openssl-user - UTF8 characters in configuration file
> Sent by:        [hidden email]
>
>
>
>  
> Hi John!
>  
> Looking at apps/req.c, it seems you want to use the –utf8 flag (or put
> utf8: yes in your conf file [req] section) and not prefix the string with
> an identifier.
>  
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl-user - UTF8 characters in configuration file

Viktor Dukhovni
On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej??k wrote:

> I tried this some 2yrs ago what seemed to work (at least wins showed the
> strings in cert correctly)
>
> in
> [ req ]
> ...
> distinguished_name = req_distinguished_name
> attributes = req_attributes
> string_mask = utf8only
> utf8 = yes

FWIW with OpenSSL 1.0.1e just "string_mask" is sufficient, but "utf8" is
neither sufficient nor necessary.

    $ cat foo.cnf
    [ req ]
    distinguished_name = dn
    prompt = no
    string_mask = utf8only

    [ dn ]
    countryName             = US
    stateOrProvinceName     = New York
    localityName            = New York
    organizationName        = Example Corp
    commonName              = mail.example.com

    [ v3_req ]
    extendedKeyUsage        = serverAuth, clientAuth

    $ openssl req -new -config foo.cnf -reqexts v3_req -key key.pem |
                                                openssl asn1parse
        0:d=0  hl=4 l= 335 cons: SEQUENCE
        4:d=1  hl=3 l= 247 cons: SEQUENCE
        7:d=2  hl=2 l=   1 prim: INTEGER           :00
       10:d=2  hl=2 l= 101 cons: SEQUENCE
       12:d=3  hl=2 l=  11 cons: SET
       14:d=4  hl=2 l=   9 cons: SEQUENCE
       16:d=5  hl=2 l=   3 prim: OBJECT            :countryName
       21:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
       25:d=3  hl=2 l=  17 cons: SET
       27:d=4  hl=2 l=  15 cons: SEQUENCE
       29:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
       34:d=5  hl=2 l=   8 prim: UTF8STRING        :New York
       44:d=3  hl=2 l=  17 cons: SET
       46:d=4  hl=2 l=  15 cons: SEQUENCE
       48:d=5  hl=2 l=   3 prim: OBJECT            :localityName
       53:d=5  hl=2 l=   8 prim: UTF8STRING        :New York
       63:d=3  hl=2 l=  21 cons: SET
       65:d=4  hl=2 l=  19 cons: SEQUENCE
       67:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
       72:d=5  hl=2 l=  12 prim: UTF8STRING        :Example Corp
       86:d=3  hl=2 l=  25 cons: SET
       88:d=4  hl=2 l=  23 cons: SEQUENCE
       90:d=5  hl=2 l=   3 prim: OBJECT            :commonName
       95:d=5  hl=2 l=  16 prim: UTF8STRING        :mail.example.com
       ...

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: openssl-user - UTF8 characters in configuration file

rasmussj
Viktor and others, thanks for the tips. I found that by using OpenSSL 1.0.1e I've been able to create the UTF8 format fields, such as:

   71:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   76:d=5  hl=2 l=   6 prim: UTF8STRING        :Róót

However, creating the subjectAltName is not following the same pattern. In the "root_dir_sect" I've assigned CN (and a custom OID) to the same value I've assigned to commonName in "root_ca_distinguished_name":


[ new_oid_section ]

myOIDSN                 = myOIDLongName, 1.2.3.4

[ root_ca_distinguished_name ]

countryName             = US
stateOrProvinceName     = MA
commonName              = Róót
emailAddress            = [hidden email]
organizationName        = abc

[ root_ca_extensions ]

basicConstraints        = CA:true
subjectAltName          = email:copy,URI:http://xyz.com.test/,dirName:root_dir_sect#

[ root_dir_sect ]

C                       = us
O                       = abc
OU                      = orgUnit
CN                      = Róót
1.2.3.4                 = Róót

Using an ASN1 parsing tool I found that the commonName in Subject contains the C3B3 (accented o) I expected. However within subjectAltName, the dirName field the value is expanded to C3+83C2+B3 for each occurrence of "accented o".

CN=Róót, 2.3.4=Róót

I must have also assigned the custom OID incorrectly as the preceding 1. is truncated.

Any comments are greatly appreciated. Thanks

John Rasmussen
IBM DataPower





From:        Viktor Dukhovni <[hidden email]>
To:        [hidden email],
Date:        03/15/2013 12:06 PM
Subject:        Re: openssl-user - UTF8 characters in configuration file
Sent by:        [hidden email]




On Fri, Mar 15, 2013 at 09:44:13AM +0100, Zbyn?k Krej??k wrote:

> I tried this some 2yrs ago what seemed to work (at least wins showed the
> strings in cert correctly)
>
> in
> [ req ]
> ...
> distinguished_name                 = req_distinguished_name
> attributes                                  = req_attributes
> string_mask = utf8only
> utf8 = yes

FWIW with OpenSSL 1.0.1e just "string_mask" is sufficient, but "utf8" is
neither sufficient nor necessary.

   $ cat foo.cnf
   [ req ]
   distinguished_name = dn
   prompt = no
   string_mask = utf8only

   [ dn ]
   countryName             = US
   stateOrProvinceName     = New York
   localityName            = New York
   organizationName        = Example Corp
   commonName              = mail.example.com

   [ v3_req ]
   extendedKeyUsage        = serverAuth, clientAuth

   $ openssl req -new -config foo.cnf -reqexts v3_req -key key.pem |
                                                                                                     openssl asn1parse
       0:d=0  hl=4 l= 335 cons: SEQUENCE
       4:d=1  hl=3 l= 247 cons: SEQUENCE
       7:d=2  hl=2 l=   1 prim: INTEGER           :00
      10:d=2  hl=2 l= 101 cons: SEQUENCE
      12:d=3  hl=2 l=  11 cons: SET
      14:d=4  hl=2 l=   9 cons: SEQUENCE
      16:d=5  hl=2 l=   3 prim: OBJECT            :countryName
      21:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
      25:d=3  hl=2 l=  17 cons: SET
      27:d=4  hl=2 l=  15 cons: SEQUENCE
      29:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
      34:d=5  hl=2 l=   8 prim: UTF8STRING        :New York
      44:d=3  hl=2 l=  17 cons: SET
      46:d=4  hl=2 l=  15 cons: SEQUENCE
      48:d=5  hl=2 l=   3 prim: OBJECT            :localityName
      53:d=5  hl=2 l=   8 prim: UTF8STRING        :New York
      63:d=3  hl=2 l=  21 cons: SET
      65:d=4  hl=2 l=  19 cons: SEQUENCE
      67:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
      72:d=5  hl=2 l=  12 prim: UTF8STRING        :Example Corp
      86:d=3  hl=2 l=  25 cons: SET
      88:d=4  hl=2 l=  23 cons: SEQUENCE
      90:d=5  hl=2 l=   3 prim: OBJECT            :commonName
      95:d=5  hl=2 l=  16 prim: UTF8STRING        :mail.example.com
      ...

--
                Viktor.
______________________________________________________________________
OpenSSL Project                                
http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]