countryName is UTF8STRING when making a CSR #69
Comments
|
you tried to sign the csr with openssl? is there something in your openssl config which requires the countryName to be a printableString (and/or to have an exact match)? at the moment, the asn.1 combinators already strip the information which of the various string encodings was used, and translate this into a string. while writing, every string is translated into an utf8string (which according to the X.509 rfc is fine, but as you found out, implementations might assume other encodings). |
|
Thank you for your very fast reply(!) Yes, I tried to sign it with openssl which is configured to have countryName match "DK". It's not explicitly configured to have countryName be a PrintableString AFAIK.
|
|
ok, and turns out a printableString is what is suggested by the standard here (RFC5280, appendix A.1) (omitting where utf8string is fine): @pqwy this means we (you?!? ;) really need to expose the string encoding.. |
|
I had a similar issue signing an ocaml-x509 CSR with an OpenSSL CA, though in my case the mismatch was due to domain components. Apart from the cited appendix, section 7.3 in the same document says that IA5String is to be used even for IDNs:
|
|
@hannesm as you mentioned, some attributes of distinguished name should not be utf8string. I've run into the same problem and saw that some programs don't show C and emailAddress correctly (for example gcr-viewer shows hex escape codes instead of email, though it has ascii only symbols), so i hacked a bit asn1 grammar of distinguished name: https://github.com/NightBlues/ocaml-x509/pull/2/files and now i can not see any "bads" neither with gcr-viewer nor with openssl cli utility. But I did not succeed in my use-case. Here is what i'm trying to do:
If i use openssl cli - everything is fine, but if i use ocaml to create csr - firefox imports p12, but doesn't show it in user identity dialog (neither chrome does). If i create csr with ocaml and sign it with openssl cli - it signs successfully, but behavior is the same - firefox imports p12 but doesn't show it in dialog. All these attempts make me think that there is something wrong with csr that ocaml-x509 generates, but i can't find what exactly - i'm using openssl cli to manually verify attributes of certificate, but it doesn't show asn1 datatypes, so everything looks the same with good and bad certs. Can you please advice how to narrow down the problem? I have no proprietary asn1 viewers and even dont know its names :( |
|
interesting, I use http://lapo.it/asn1js/ for debugging asn1 issues. I'd go as follows:
before PR #114 I actually signed some certificates with ocaml-x509, and used openssl pkcs12 to pack them into pkcs12 containers -- and was successfully able to import them into firefox & chrome (NB: i have not tried #114 in respect to firefox / chrome compatibility). |
just checked - it works (and its actually how a checked ocaml p12 is working)
it helped! i've found that only difference is cert signature and commonName type (I hacked it with Thank you! |
I think its because your issuer cert was created with ocaml too, while mine with openssl cli, so you had utf8string both in issuer cert and issuer field of client cert, while i have utf8string in issuer DN and printable_name in client certs issuer field - it seems that firefox compares them in some type-safe way |
ah, yes -- it is a good idea to have bit-wise equality "the subject of the CA cert" and "the issuer of the cert". this is not achieved by ocaml-x509 (yet) since the string tags are thrown away... |
Earlier, each component was serialised to a UTF8String, which is wrong for DomainComponent (IA5String), Serialnumber (PrintableString), CountryName (PrintableString), DnQualifier (PrintableString), EMail (IA5String). Reported in mirleft#69
|
Fixed by #140. Feels good to finally close this after > 5 years since the report. |
CHANGES: * FEATURE PKCS12 support (mirleft/ocaml-x509#114 by @hannesm) * FEATURE ECDSA and EDDSA support via mirage-crypto-ec (mirleft/ocaml-x509#145 by @hannesm) This breaks some clients since the Private_key.t and Public_key.t variants are extended (may result in partial pattern matches of users of this library). * CRL.is_revoked has `crls` as last parameter to avoid warning 16 (4.12 compatibility) (mirleft/ocaml-x509#144 by @hannesm) * Signing_request.sign: add optional labelled argument `~subject` to allow changing the subject when signing a signing request (mirleft/ocaml-x509#139 by @reynir) * BUGFIX Encoding of Distinguished_name components (adhere to specification) DomainComponent and EMail are now serialised using a IA5String; Serialnumber, CountryName and DnQualifier as PrintableString (reported in mirleft/ocaml-x509#69, fixed mirleft/ocaml-x509#140 by @NightBlues) * BREAKING Remove `~sloppy` from Private_key.decode_{pem,der}. The seemingly bad RSA keys were valid and should have been accepted by mirage-crypto. (mirleft/ocaml-x509#142 by @psafont)
I made a CSR using ocaml-x509, and it wasn't accepted by openssl as country name "DK" is not the same as country name "DK". After being a bit puzzled by this error message I found out that ocaml-x509 encoded countryName as UTF8STRING while openssl generates and seemingly expects PrintableString.
The text was updated successfully, but these errors were encountered: