Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling non-ASCII output #458

Closed
t8m opened this issue Feb 13, 2024 · 7 comments
Closed

Handling non-ASCII output #458

t8m opened this issue Feb 13, 2024 · 7 comments
Assignees
@beldmit

Comments

@t8m
Copy link
Member

t8m commented Feb 13, 2024

See openssl/openssl#3291
@beldmit
Copy link
Member

beldmit commented Feb 13, 2024
edited
Loading

We have 2 approaches to deal with Unicode in X.509 extensions:

  • We can presume that utf8 output is harmless and rewrite the X.509 extensions print callbacks to always use it
  • We can implement some new API that will accept the flags similar to the ones -nameopt sets and pass it to X.509 callbacks

The 1st approach looks more reasonable to me

@mattcaswell
Copy link
Member

OTC: We prefer the second option unless it becomes too invasive

@beldmit to investigate further

@beldmit
Copy link
Member

beldmit commented Apr 2, 2024

We have the X509V3_extensions_print function accepting flag (13 bits used)
calling X509V3_EXT_print with the same flag argument

For a particular known extension we get a i2s callback from the X509V3_EXT_METHOD https://github.com/openssl/openssl/blob/de85587911dcd41dc3546b348acf9c9f15dd7c3d/include/openssl/x509v3.h.in#L64C1-L84C3

Then i2s, i2v, or i2r method is used for printing known extensions. I believe i2s and i2v are the most relevant for our purposes as they are intended to deal with strings. It doesn't accept the flag argument so for the string extensions we will need to implement a new callbacks here.

At a first glance the naturally looking extension to implement this is AKID that can contain the Issuer field. I didn't find anything else from the list of currently supported extensions.

@beldmit
Copy link
Member

beldmit commented Apr 11, 2024

Here we have the definitions of the flags

https://github.com/openssl/openssl/blob/491bbb444c4b654de14adc7031eb44e88a101edb/include/openssl/x509v3.h.in#L117

Not null value is set only in AKID, v3info, crldp, issuer sign tool, Thawte strong extranet - and all of them use MULTILINE flag.

So the solution may be copy the X509V3_EXT_METHOD struct instead of obtaining it, set the utf8 and may be other flags, and use the existing callbacks (accepting the X509V3_EXT_METHOD struct) to properly process it.

@t8m
Copy link
Member Author

t8m commented Apr 16, 2024

AI @beldmit to create an RFE issue in openssl/openssl describing the specification of how this should be implemented.

@beldmit
Copy link
Member

beldmit commented Apr 16, 2024

Done, feel free to adjust my best English :)

openssl/openssl#24157

@t8m
Copy link
Member Author

t8m commented Apr 23, 2024

There is an issue to be worked on. Nothing for OTC to track anymore. Closing.

@t8m t8m closed this as completed Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@beldmit beldmit

Labels
None yet
Projects
Project Board
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@t8m @mattcaswell @beldmit