wjun wrote:
> The Subjects Distinguished Name is as follows
> countryName :PRINTABLE:'CN'
> organizationName :ASN.1 30:'
> The string contains characters that are illegal for the ASN.1 type
Type 30 is a BMP string, that is a string in the Basic Multilingual
Plane of ISO 10646, that if I understand this correctly, is the UCS-2
scheme. In apps/ca.c, you will find right where that string is
printed that all strings except email addresses are analyzed as
follows.
First a type is guessed from the text itself by a call to
ASN1_PRINTABLE_type. This routine, essentially will return with
Printable, IA5 or T61 depending on the octet values used.
Then, a consistency check is made between the ASN1 type in the
request and the computed charset type. If there is a mismatch,
it barfs. Since your organizationName is in BMP and that type
is never returned by ASN1_PRINTABLE_type, there you have it.
Unfortunately, your only option would be to use T61, only that
as far as I understand, T61 is inadequate for Chinese. So you
are short of luck.
Now a question to developers. Why the call to ASN1_PRINTABLE_type
and the subsequent check if in a world with BMPString, UniversalString
and UTFString (that seems the future according to RFC2459), the
function ASN1_PRINTABLE_type is essentially a broken concept,
a leftover from the dark ages? And it is a Y2003 problem, right?
In a related topic, then we have again the same ASN1_PRINTABLE_type
magic in apps/req.c, that should be replaced by some charset
specification in openssl.cnf like this:
organizationName = Organization Name (eg, company)
organizationName_default = Wierd Certificates R Us
organizationName_charset = UTF8String
or some such. Once the intended charset is known, it can be
demoted to IA5String or PrintableString if necessary, but telling
apart between the different, high-bit using, multibyte things (and
even T61 is) cannot be done deterministically. The encoding has to
be known beforehand.
Julio
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
