> From: openssl-users On Behalf Of J?rg Eyring > Sent: Wednesday, February 11, 2015 03:44 > I'm generating a certificate request and the necessary entries are added > with: > ... > if(!X509_NAME_add_entry_by_txt(subj,"C", MBSTRING_ASC, (unsigned > char *) CountryName,-1,-1,0)) <snip> > X509_NAME_add_entry_by_txt does only respect the given encoding > MBSTRING_ASC for the first entry, the subsequent entries are encoded with > MBSTRING_UTF8 (seen with a BER Viewer). The certificate request is > declined by the authority with an error: "...doesn't contain five > PRINTABLESTRING elements..." > > The most recent version of OpenSSL we've been using was 1.0.1c where > everything worked fine. > ASN1 strings set with the "generic" MBSTRING_ types that are for known/standard OID-value pairs are constrained by tbl_standard in asn1/a_strnid.c. A few like Country are forced to Printable as per standard. Those standardized as DirectoryString are anded with a "default mask" then a_mbstr.c chooses the "lowest" type supporting the characters in the value. Which allowed *two* of the eight single-byte types (Teletex and Printable). This is mentioned, very briefly, in the manpage for X509_NAME_add_entry. 1.0.1h in 2014 and later changed this mask to force UTF8 only, I believe to implement the MUST UTF8 for DirectoryString's in 2459 and 3280, even though 5280 in 2008 had relaxed it to MUST UTF8 OR Printable, I suspect to be safe for implementations of the older standard. req and ca override this by calling ASN1_STRING_set_default_mask_asc with the (string) value of string_mask in the configuration if specified, and the supplied openssl.cnf back to 1.0.0 in 2009 set utf8only for those utils. There is also a numeric version ASN1_STRING_set_default_mask . HTH.
