Re: asn1parse genstr question

Dmitry Belyavsky <beldmit@xxxxxxxxx> · Tue, 23 Apr 2019 02:02:55 +0300

Hello,

On Tue, Apr 23, 2019 at 12:21 AM Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote:
Dear Victor, 

On Mon, Apr 22, 2019 at 9:23 PM Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote:
On Sun, Apr 21, 2019 at 06:58:53PM +0300, Dmitry Belyavsky wrote:

> When I use a command

> 

> openssl asn1parse -genstr "UTF8String:ф" -out content

> 

> I get a 6-byte file. If I understand correctly, it starts with a 2-byte

> header indicating the content length and then contains an encoded letter

> 'ф' I want. But the encoding of it is not UTF8, as the utf8 encoding of a

> cyrillic letter is 2 bytes long.

> 

> Am I wrong? If the behavior I see is desired one, how can I convert the

> result of the encoding to UTF8 using openssl internal API?

By default the input string is assumed to contain single-byte octets,

which are individually encoded as UTF-8.  This is rarely what you

want if your input is not ASCII.  For actual UTF-8 input, you can

use:

    $ openssl asn1parse -out content -genstr 'FORMAT:UTF8,UTF8String:Он врет! Он не знает, КАК НАДО!' # [1]

        0:d=0  hl=2 l=  53 prim: UTF8STRING        :Он врет! Он не знает, КАК НАДО!

The "genstr" format is described in, for example:

    https://www.openssl.org/docs/man1.0.2/man3/ASN1_generate_nconf.html

Thank you very much for your answer and especially for a brilliant example :)

I'm trying to implement RFC 8398 and I try to create a valid certificate with EAI email in otherName. 

I expected that a line in the config file 

subjectAltName=otherName:1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8:医生@大学.example.com

will do the trick.
But I get an error
140642093051968:error:0D0B20C2:asn1 encoding routines:ASN1_generate_v3:unknown tag:../crypto/asn1/asn1_gen.c:94:
140642093051968:error:220A4093:X509 V3 routines:a2i_GENERAL_NAME:othername error:../crypto/x509v3/v3_alt.c:456:
140642093051968:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=otherName:1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8:医生@大学.example.com

If I specify the otherName like
subjectAltName=otherName:1.3.6.1.5.5.7.8.9;UTF8:医生@大学.example.com

I do not get an error, but the encoding seems to be not UTF8, but ASCII.
Can this behavior be fixed?

I've got the clue.

The config string is passed to the X509V3_parse_list() function, which treats comma as a separator, so the rest of the line is cut, and it causes an error.
I've done a quick-and-dirty patch for my purposes that enforces FORMAT:UTF8 for SMTPUTF8 and succeeded. 

-- 

        Viktor.

[1]. http://www.mnemosyne.ru/homo/galich-6.html

-- 
SY, Dmitry Belyavsky

-- 
SY, Dmitry Belyavsky