On Tue, Apr 11, 2023 at 09:43:20AM -0500, Mark Hack <markhack@xxxxxxxxxxxx> wrote: > On Tue, 2023-04-11 at 23:40 +1000, raf via openssl-users wrote: > > Hi, > > > > I'm trying to create a CSR for an SMIME certificate for > > an email address with non-ASCII characters (localpart > > and domain), and I'm getting this error after entering > > äbç@être.org as the email address: > > > > 139749651649856:error:0D07A07C:asn1 encoding > > routines:ASN1_mbstring_ncopy:illegal > > characters:../crypto/asn1/a_mbstr.c:115: > > > > The error message is similar if the only non-ASCII > > characters are in the domain name, or if they are only > > in the localpart (only the leading number in the error > > message changes). It's just for testing purposes, and > > I'm only really interested in the domain part. > > > > I must be doing something wrong. How can I use > > non-ASCII (UTF8-encoded Unicode characters, > > LANG=en_AU.UTF-8)? It looks like it's expecting > > multi-byte strings (a_mbstr.c). > > > > My smime.cnf contains: > > [req] > > distinguished_name = req_distinguished_name > > > > [req_distinguished_name] > > countryName = Country Name (2 letter code) > > countryName_default = AU > > countryName_min = 2 > > countryName_max = 2 > > stateOrProvinceName = State or Province Name (full name) > > stateOrProvinceName_default = Some-State > > localityName = Locality Name (eg, city) > > 0.organizationName = Organization Name (eg, company) > > 0.organizationName_default = Internet Widgits Pty Ltd > > organizationalUnitName = Organizational Unit Name (eg, section) > > commonName = Common Name (e.g. server FQDN or YOUR name) > > commonName_max = 64 > > emailAddress = Email Address > > emailAddress_max = 64 > > > > [smime] > > basicConstraints = CA:FALSE > > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > subjectKeyIdentifier = hash > > authorityKeyIdentifier = keyid:always,issuer > > subjectAltName = email:copy > > extendedKeyUsage = emailProtection > > > > And the openssl commands were: > > > > OPENSSL_CONF=`pwd`/smime.cnf > > # Generate an RSA Private Key for the Certificate Authority > > openssl genrsa -aes256 -out ca.key 2048 > > # Create Self-Signed Certificate for the Certificate Authority > > openssl req -new -x509 -days 365 -key ca.key -out ca.crt > > # Generate an RSA Private Key for the Personal E-Mail > > Certificate > > openssl genrsa -aes256 -out smime_test_user.key 2048 > > # Create the Certificate Signing Request > > openssl req -new -key smime_test_user.key -out > > smime_test_user.csr > > > > The error happened during the command above. > > > > > openssl req -new -key smime_test_user.key -out > > smime_test_user.csr > > > > Enter pass phrase for smime_test_user.key: > > You are about to be asked to enter information that will be > > incorporated > > into your certificate request. > > What you are about to enter is what is called a Distinguished > > Name or a DN. > > There are quite a few fields but you can leave some blank > > For some fields there will be a default value, > > If you enter '.', the field will be left blank. > > ----- > > Country Name (2 letter code) [AU]: > > State or Province Name (full name) [Some-State]: > > Locality Name (eg, city) []: > > Organization Name (eg, company) [Internet Widgits Pty Ltd]: > > Organizational Unit Name (eg, section) []: > > Common Name (e.g. server FQDN or YOUR name) []: > > Email Address []:äbç@être.org > > problems making Certificate Request > > 139749651649856:error:0D07A07C:asn1 encoding > > routines:ASN1_mbstring_ncopy:illegal > > characters:../crypto/asn1/a_mbstr.c:115: > > > > So I didn't get to the final command: > > > > # Sign the Certificate Using the Certificate Authority > > openssl x509 -req -days 365 -in smime_test_user.csr -CA ca.crt > > -CAkey ca.key -set_serial 1 -out smime_test_user.crt -addtrust > > emailProtection -addreject clientAuth -addreject serverAuth -trustout > > -extfile smime.cnf -extensions smime > > > > cheers, > > raf > > Try adding the -utf8 option to the request. > > https://www.openssl.org/docs/man3.1/man1/openssl-req.html > > -utf8 > > This option causes field values to be interpreted as UTF8 strings, > by default they are interpreted as ASCII. This means that the field > values, whether prompted from a terminal or obtained from a > configuration file, must be valid UTF8 strings. > > Regards > Mark Hack Thanks, but surprisingly, that didn't work. I first tried adding -utf8 at the end of the command and it made no difference. Then I tried placing it further to the left, in several locations, just in case it made any difference, but it resulted in the same error. I've checked (with od -cx) that the email address I'm pasting is valid UTF8, and it is. cheers, raf
