On Thu, Nov 19, 2009, Shaw Graham George wrote: > Hi, > > I have a requirement to make some test keys/certificates that contain > Unicode (Chinese) data in the Issuer and Subject fields. Print-out from > an example certificate using "openssl x509" is: > > Issuer: C=\x00C\x00N, > ST=\x00G\x00u\x00a\x00n\x00g\x00d\x00o\x00n\x00g, > L=\x00G\x00u\x00a\x00n\x00g\x00z\x00h\x00o\x00u, > O=\x00G\x00D\x00C\x00A\x00 > \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00 > \x00A\x00u\x00t\x00h\x00o\x00r\x00i\x00t\x00y > Subject: C=\x00C\x00N, ST=^\x7FN\x1Cw\x01, L=^\x7F]\xDE^\x02, > ... > > Is this at all possible using the openssl tool? From the manual pages > it seems that UTF-8 is supported, but not Unicode - for example the > config man page says that null characters in strings is not allowed. > > If not, then does anybody know of any other tools that I could use to > make my test keys/certificates. >
Characters are passed to OpenSSL using UTF8, then depending on the configuration options it gets translated into either a BMPString or a UTF8String. From an application point of view it shouldn't matter which (RFC3280 and later mandate UTF8Strings). OpenSSL will *NOT* however do what happens above with the C (Country) field. That is a two character code and only PrintableString (a restricted version of ASCII) characters are permitted. Doing anything else violates several standards. BTW if you pick appropriate values for the -nameopt option and if your terminal supports it you should be able to get that certificate to display correctly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
