On Wed, Apr 12, 2023 at 10:41:39PM -0400, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> wrote: > On Thu, Apr 13, 2023 at 09:45:55AM +1000, raf via openssl-users wrote: > > > > You need to specify a SAN "otherName" of type smtpUtf8Name, rather than > > > an rfc822Name. With OpenSSL 3.0, you can use "id-on-SmtpUTF8Mailbox" > > > instead of the numeric OID: > > > > > > [extensions] > > > subjectAltName = @sans > > > > > > [sans] > > > otherName.1 = 1.3.6.1.5.5.7.8.9;FORMAT:UTF8,UTF8String:потребитель@домен.example > > > > > > Full support for this in certificate verification requires OpenSSL 3.0. > > > > Thanks. Sadly, I don't understand the config file format enough to > > know how to incorporate this into my existing config file (copied from > > a howto for S/MIME). which includes "subjectAltName = email:copy". If > > I just add the above, I get a new error when decrypting the private > > key. > > That's for signing CSRs with a CA, I typically bypass that, and create > the cert more directly. I don't know how or whether there's support for > copying specific "otherName" extensions by OID. > > > In the meantime, I might just wait until a user reports that my script > > isn't working for S/MIME with non-ASCII email addresses (if that ever > > happens). If they can show me the output of the openssl x509 ... > > -noout -text command for their certificate, that should be enough for > > me to fix my script. > > You reall SHOULD NOT parse the output of "openssl ... -text" it is not a > stable machine-readable format. Python has APIs for parsing X.509 > objects, I was suggesting you use those. > > If you really must go out on a limb, OpenSSL 3.0 would output: > > ... > X509v3 extensions: > X509v3 Subject Key Identifier: > E7:9B:E2:2A:AD:8A:6C:3A:CB:76:51:E5:8E:07:98:22:97:E1:73:A2 > X509v3 Authority Key Identifier: > B4:11:33:F1:D7:E2:5E:F7:53:9E:20:22:10:4F:86:06:BF:1F:C9:5E > X509v3 Basic Constraints: > CA:FALSE > X509v3 Subject Alternative Name: > othername: SmtpUTF8Mailbox::виктор@example.org > ... > > -- > Viktor. Thanks. cheers, raf
