Discussion:
[openssl.org #3557] -nameopt utf8 behaviour in openssl 1.0.1i
Dmitry Belyavsky via RT
2014-10-05 20:07:16 UTC
Permalink
Hello OpenSSL Team,

The x509 and req commands behave strangely when the nameopt utf8 is
specified.

***@manul$ openssl x509 -text -noout -nameopt utf8 -in
./demos/cms/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14395258657826892692 (0xc7c63b7adda36b94)
Signature Algorithm: md5WithRSAEncryption
Issuer:

The output becomes correct when we specify -nameopt sep_comma_plus,utf8

The patch by Victor Wagner fixing this behaviour is attached.

Thank you!
--
SY, Dmitry Belyavsky
Dmitry Belyavsky
2014-10-11 16:19:23 UTC
Permalink
Hello Openssl team,

Any comments?

Thank you!
Post by Dmitry Belyavsky via RT
Hello OpenSSL Team,
The x509 and req commands behave strangely when the nameopt utf8 is
specified.
./demos/cms/cacert.pem
Version: 3 (0x2)
Serial Number: 14395258657826892692 (0xc7c63b7adda36b94)
Signature Algorithm: md5WithRSAEncryption
The output becomes correct when we specify -nameopt sep_comma_plus,utf8
The patch by Victor Wagner fixing this behaviour is attached.
Thank you!
--
SY, Dmitry Belyavsky
--- ../openssl-1.0.1i/crypto/asn1/a_strex.c 2014-07-22
23:41:23.000000000 +0400
+++ crypto/asn1/a_strex.c 2014-10-05 19:45:32.790011154 +0400
@@ -414,6 +414,7 @@
sep_mv_len = 3;
break;
sep_dn = ",";
sep_dn_len = 1;
--
SY, Dmitry Belyavsky
Salz, Rich
2014-10-11 17:54:40 UTC
Permalink
Look like a bug and a reasonable fix. Thanks.
--
Principal Security Engineer, Akamai Technologies
IM: ***@jabber.me<mailto:***@jabber.me> Twitter: RichSalz

From: owner-openssl-***@openssl.org [mailto:owner-openssl-***@openssl.org] On Behalf Of Dmitry Belyavsky
Sent: Saturday, October 11, 2014 12:19 PM
To: openssl-***@openssl.org
Subject: Re: [openssl.org #3557] -nameopt utf8 behaviour in openssl 1.0.1i

Hello Openssl team,

Any comments?

Thank you!

On Mon, Oct 6, 2014 at 12:07 AM, Dmitry Belyavsky via RT <***@openssl.org<mailto:***@openssl.org>> wrote:
Hello OpenSSL Team,

The x509 and req commands behave strangely when the nameopt utf8 is
specified.

***@manul$ openssl x509 -text -noout -nameopt utf8 -in
./demos/cms/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14395258657826892692 (0xc7c63b7adda36b94)
Signature Algorithm: md5WithRSAEncryption
Issuer:

The output becomes correct when we specify -nameopt sep_comma_plus,utf8

The patch by Victor Wagner fixing this behaviour is attached.

Thank you!
--
SY, Dmitry Belyavsky

--- ../openssl-1.0.1i/crypto/asn1/a_strex.c 2014-07-22 23:41:23.000000000 +0400
+++ crypto/asn1/a_strex.c 2014-10-05 19:45:32.790011154 +0400
@@ -414,6 +414,7 @@
sep_mv_len = 3;
break;

+ case 0:
case XN_FLAG_SEP_COMMA_PLUS:
sep_dn = ",";
sep_dn_len = 1;
--
SY, Dmitry Belyavsky
Roumen Petrov
2014-10-12 10:24:48 UTC
Permalink
Post by Salz, Rich
Look like a bug and a reasonable fix. Thanks.
It seems to me OpenSSL requires separator option always to be specified.
Post by Salz, Rich
[SNIP]
Hello OpenSSL Team,
[SNIP]
The output becomes correct when we specify -nameopt sep_comma_plus,utf8
The patch by Victor Wagner fixing this behaviour is attached.
Thank you!
--
SY, Dmitry Belyavsky
--- ../openssl-1.0.1i/crypto/asn1/a_strex.c 2014-07-22 23:41:23.000000000 +0400
+++ crypto/asn1/a_strex.c 2014-10-05 19:45:32.790011154 +0400
@@ -414,6 +414,7 @@
sep_mv_len = 3;
break;
sep_dn = ",";
sep_dn_len = 1;
switch(case) statement define default case. May be is better to change
default case and to document default separator .

Which separator to use by default :
- to be compatible with previous versions, i.e. sep_comma_plus_space
- or in rfc2253 style , i.e. sep_comma_plus ?



I think that this is documentation issue only - user could use
"composite" like oneline or own set of flags as 'separator' is required.

Pages x509 and X509_NAME_print_ex could be updated to detail that
'separator' flag is required.

Regards,
Roumen Petrov

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Loading...