Send openssl-users mailing list submissions to
openssl-users@xxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
https://mta.openssl.org/mailman/listinfo/openssl-users
or, via email, send a message with subject or body 'help' to
openssl-users-request@xxxxxxxxxxx
You can reach the person managing the list at
openssl-users-owner@xxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openssl-users digest..."
Today's Topics:
1. error: ASN1_mbstring_ncopy:illegal characters (raf)
2. Re: error: ASN1_mbstring_ncopy:illegal characters (Mark Hack)
3. RE: RSA Real World Implementation (Michael Wojcik)
----------------------------------------------------------------------
Message: 1
Date: Tue, 11 Apr 2023 23:40:10 +1000
From: raf <openssl@xxxxxxx>
To: openssl-users@xxxxxxxxxxx
Subject: error: ASN1_mbstring_ncopy:illegal characters
Message-ID: <ZDVjOq+RmCcrbfgV@xxxxxxx>
Content-Type: text/plain; charset=iso-8859-1
Hi,
I'm trying to create a CSR for an SMIME certificate for
an email address with non-ASCII characters (localpart
and domain), and I'm getting this error after entering
?b?@?tre.org as the email address:
139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:
The error message is similar if the only non-ASCII
characters are in the domain name, or if they are only
in the localpart (only the leading number in the error
message changes). It's just for testing purposes, and
I'm only really interested in the domain part.
I must be doing something wrong. How can I use
non-ASCII (UTF8-encoded Unicode characters,
LANG=en_AU.UTF-8)? It looks like it's expecting
multi-byte strings (a_mbstr.c).
My smime.cnf contains:
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = email:copy
extendedKeyUsage = emailProtection
And the openssl commands were:
OPENSSL_CONF=`pwd`/smime.cnf
# Generate an RSA Private Key for the Certificate Authority
openssl genrsa -aes256 -out ca.key 2048
# Create Self-Signed Certificate for the Certificate Authority
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Generate an RSA Private Key for the Personal E-Mail Certificate
openssl genrsa -aes256 -out smime_test_user.key 2048
# Create the Certificate Signing Request
openssl req -new -key smime_test_user.key -out smime_test_user.csr
The error happened during the command above.
> openssl req -new -key smime_test_user.key -out smime_test_user.csr
Enter pass phrase for smime_test_user.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:?b?@?tre.org
problems making Certificate Request
139749651649856:error:0D07A07C:asn1 encoding routines:ASN1_mbstring_ncopy:illegal characters:../crypto/asn1/a_mbstr.c:115:
So I didn't get to the final command:
# Sign the Certificate Using the Certificate Authority
openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust emailProtection -addreject clientAuth -addreject serverAuth -trustout -extfile smime.cnf -extensions smime
cheers,
raf
------------------------------
Message: 2
Date: Tue, 11 Apr 2023 09:43:20 -0500
From: Mark Hack <markhack@xxxxxxxxxxxx>
To: raf <openssl@xxxxxxx>, openssl-users@xxxxxxxxxxx
Subject: Re: error: ASN1_mbstring_ncopy:illegal characters
Message-ID:
<773c496611ca890147ba4f2c10081eabb45c58f7.camel@xxxxxxxxxxxx>
Content-Type: text/plain; charset="UTF-8"
Try adding the -utf8 option to the request.
https://www.openssl.org/docs/man3.1/man1/openssl-req.html
-utf8
This option causes field values to be interpreted as UTF8 strings,
by default they are interpreted as ASCII. This means that the field
values, whether prompted from a terminal or obtained from a
configuration file, must be valid UTF8 strings.
Regards
Mark Hack
On Tue, 2023-04-11 at 23:40 +1000, raf via openssl-users wrote:
Hi,
I'm trying to create a CSR for an SMIME certificate for
an email address with non-ASCII characters (localpart
and domain), and I'm getting this error after entering
?b?@?tre.org as the email address:
139749651649856:error:0D07A07C:asn1 encoding
routines:ASN1_mbstring_ncopy:illegal
characters:../crypto/asn1/a_mbstr.c:115:
The error message is similar if the only non-ASCII
characters are in the domain name, or if they are only
in the localpart (only the leading number in the error
message changes). It's just for testing purposes, and
I'm only really interested in the domain part.
I must be doing something wrong. How can I use
non-ASCII (UTF8-encoded Unicode characters,
LANG=en_AU.UTF-8)? It looks like it's expecting
multi-byte strings (a_mbstr.c).
My smime.cnf contains:
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[smime]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
subjectAltName = email:copy
extendedKeyUsage = emailProtection
And the openssl commands were:
OPENSSL_CONF=`pwd`/smime.cnf
# Generate an RSA Private Key for the Certificate Authority
openssl genrsa -aes256 -out ca.key 2048
# Create Self-Signed Certificate for the Certificate Authority
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Generate an RSA Private Key for the Personal E-Mail
Certificate
openssl genrsa -aes256 -out smime_test_user.key 2048
# Create the Certificate Signing Request
openssl req -new -key smime_test_user.key -out
smime_test_user.csr
The error happened during the command above.
> openssl req -new -key smime_test_user.key -out
smime_test_user.csr
Enter pass phrase for smime_test_user.key:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:?b?@?tre.org
problems making Certificate Request
139749651649856:error:0D07A07C:asn1 encoding
routines:ASN1_mbstring_ncopy:illegal
characters:../crypto/asn1/a_mbstr.c:115:
So I didn't get to the final command:
# Sign the Certificate Using the Certificate Authority
openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt
-CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust
emailProtection -addreject clientAuth -addreject serverAuth -trustout
-extfile smime.cnf -extensions smime
cheers,
raf
------------------------------
Message: 3
Date: Tue, 11 Apr 2023 15:04:56 +0000
From: Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx>
To: "openssl-users@xxxxxxxxxxx" <openssl-users@xxxxxxxxxxx>
Subject: RE: RSA Real World Implementation
Message-ID:
<DM6PR18MB2700CBD841BC4596D4EC669CF99A9@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="utf-8"
Haven't seen a response to this one yet, so I thought I'd provide what I could.
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of
Dingsi Bumsi
Sent: Tuesday, 4 April, 2023 17:41
As a student of computer science with focus on security I would like to see
how RSA is implemented in the real world. I was warned not to write my own
implementation of RSA encryption due to the high risk of bugs und
vulnerability issues, which would be dealt with much better in a battle proven
lib like openssl. So I would like to see how it is done properly. :-)
OpenSSL would not be my choice for this. Whatever the virtues of OpenSSL, the code is not written for readability. In fact I wouldn't advise anyone to study a "real world" RSA implementation in C at all; while C is the language I use the most (and the only one for which I've memorized a non-trivial portion of the standard), its low expressiveness, required scaffolding, and aspects of common C culture (such as short, meaningless identifiers) make it a difficult to learn concepts from.
You might look at, say, Go's RSA implementation (https://pkg.go.dev/crypto/rsa, source at https://cs.opensource.google/go/go/+/master:src/crypto/rsa/), for example; even if you don't know Go, it's probably faster to learn Go and then learn from Go's implementation. And much of Go's cryptography was, I believe, written by Filippo Valsorda, who's both a good cryptographer and good at explaining cryptography; his blog is worth reading.
I did already find the source code on github under
https://github.com/openssl/openssl/tree/master/crypto/rsa
Tbh I find it yet quite overwhelming and cumbersome to work through all
those rather cryptic (pun intendet) looking lines of source code and figure out
what they do.
Yes, that's what I would expect. Correct cryptographic code is difficult to begin with; C is difficult; and OpenSSL is not particularly readable C.
Is there further documentation available about how the source code files work
together, e.g. which part of the library/file plays which role?
There might be some material along those lines in the OpenSSL docs and wiki; that should be your starting place, if you're determined to understand the OpenSSL source code.
(After that, and looking at the source, my approach would be to debug through some operations.)
From the manpages I assume that several libraries must be used in order to
en-/decrypt a message, so I guess documentation on how to use the openssl
library in C source code might help too.
Prior to 3.0, only one OpenSSL library was, in the simple case, used for RSA: libcrypto. With older versions of OpenSSL you might also have an engine involved, which is technically a separate (dynamically-loaded) library. In OpenSSL 3.0, we have providers, which complicate the picture. (This is another good reason not to try to use OpenSSL as your example, by the way; the provider architecture complicates the implementation in ways irrelevant to the actual cryptography.) But libcrypto is still where the most basic implementation lives, I believe (without actually checking the source).
A number of functions are involved, but functions and libraries are different things.
Where does the actual magic happen, meaning, where are the prime numbers
generated and where are the messages en-/decrypted?
Aside from "crypto/rsa/*.c" I couldn't give you a definitive answer without spending time looking at the source, and possibly not without debugging through some RSA operations just to be sure.
And one other question: Is there a reimplementation in Rust planned already?
That seems rather unlikely to me. I certainly don't recall hearing anyone talk about reimplementing OpenSSL in Rust. I don't know offhand the status of cryptography and TLS packages for Rust, but I'd think what Rust needs is its own crypto implementation, just as Go and other languages have; and if you want crypto and TLS written in Rust, that's what you'd use.
