Re: The string contains characters that are illegal for the ASN.1 type

Fri, 6 Aug 1999 04:21:56 -0700 

Julio Sánchez Fernández wrote:
> 
> Now a question to developers.  Why the call to ASN1_PRINTABLE_type
> and the subsequent check if in a world with BMPString, UniversalString
> and UTFString (that seems the future according to RFC2459), the
> function ASN1_PRINTABLE_type is essentially a broken concept,
> a leftover from the dark ages?  And it is a Y2003 problem, right?
> 
> In a related topic, then we have again the same ASN1_PRINTABLE_type
> magic in apps/req.c, that should be replaced by some charset
> specification in openssl.cnf like this:
> 
> organizationName                = Organization Name (eg, company)
> organizationName_default        = Wierd Certificates R Us
> organizationName_charset        = UTF8String
> 
> or some such.  Once the intended charset is known, it can be
> demoted to IA5String or PrintableString if necessary, but telling
> apart between the different, high-bit using, multibyte things (and
> even T61 is) cannot be done deterministically.  The encoding has to
> be known beforehand.
> 

The current behaviour is "historic" and should be changed to support
BMPStrings and UTF8Strings however this is not trivial for the following
reasons.

There are ASCII assumptions all over the place, particularly in the
config file code.

This would require some kind of cross platform support: basically a way
to input, print and parse files containing Unicode or UTF8Strings.

There are reported problems with using BMPStrings and UTF8Strings:
apparently newer IE versions handle BMPStrings but not UTF8Strings and
some versions of Netscape crash when they receive a certificate
containing a UTF8String. Has anyone tried the latest Netscape to see if
this still happens?

Also speaking personally, I'm not short of things to do :-(

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to