On Thu, Apr 13, 2023 at 09:45:55AM +1000, raf via openssl-users wrote:
> > You need to specify a SAN "otherName" of type smtpUtf8Name, rather than
> > an rfc822Name. With OpenSSL 3.0, you can use "id-on-SmtpUTF8Mailbox"
> > instead of the numeric OID:
> >
> > [extensions]
> > subjectAltName = @sans
> >
> > [sans]
> > otherName.1 = 1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8String:потребитель@домен.example
> >
> > Full support for this in certificate verification requires OpenSSL 3.0.
>
> Thanks. Sadly, I don't understand the config file format enough to
> know how to incorporate this into my existing config file (copied from
> a howto for S/MIME). which includes "subjectAltName = email:copy". If
> I just add the above, I get a new error when decrypting the private
> key.
That's for signing CSRs with a CA, I typically bypass that, and create
the cert more directly. I don't know how or whether there's support for
copying specific "otherName" extensions by OID.
> In the meantime, I might just wait until a user reports that my script
> isn't working for S/MIME with non-ASCII email addresses (if that ever
> happens). If they can show me the output of the openssl x509 ...
> -noout -text command for their certificate, that should be enough for
> me to fix my script.
You reall SHOULD NOT parse the output of "openssl ... -text" it is not a
stable machine-readable format. Python has APIs for parsing X.509
objects, I was suggesting you use those.
If you really must go out on a limb, OpenSSL 3.0 would output:
...
X509v3 extensions:
X509v3 Subject Key Identifier:
E7:9B:E2:2A:AD:8A:6C:3A:CB:76:51:E5:8E:07:98:22:97:E1:73:A2
X509v3 Authority Key Identifier:
B4:11:33:F1:D7:E2:5E:F7:53:9E:20:22:10:4F:86:06:BF:1F:C9:5E
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
othername: SmtpUTF8Mailbox::виктор@example.org
...
--
Viktor.
