One major issue to consider when using UTF-16 encoding is that the string can be big-endian or little-endian. If you were to somehow generate a certificate using UTF-16 encoded strings, you would need to make sure that those certificates will only be used on machines that have the same architecture as the machine generating the certificate. Otherwise, the strings will be unreadable.
I would highly recommend just converting your UTF-16 strings into UTF-8 and using that in your certificate(s). It will save you a lot of headaches. Brant Thomsen -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of mclellan_d...@emc.com Sent: Thursday, November 19, 2009 6:34 AM To: openssl-users@openssl.org Subject: RE: Creating a certificate with Unicode characters in Issuer and Subject UTF-8 *IS* perfectly valid Unicode -- it's one of the main Unicode encodings, and seems entirely appropriate for use in certs, although I personally have no knowledge of the support in OpenSSL or the X509 standard. UTF-8 is a variable length encoding where the valid UTF-8 characters are from 1 to 6 bytes in length. UTF-8 encodes the first 128 ASCII characters identically to 7-bit ASCII, and UTF-8 strings preserve the notion of a null-terminated character string, such that the zero byte terminates a UTF-8 string compatibly with ASCII null-terminated strings. So the warning that a null character is not allowed in a string really means it can't be embedded in the 'middle' of a string, since the null will be interpreted to *terminate* the string. This is NOT the case with UTF-16. individual bytes in UTF-16 encoding may certainly be zero, and they do NOT terminate a string. So it makes sense that UTF-16 would not be supported in the Issuer and Subject fields. But UTF-8 seems like an excellent fit to me. The trick is getting the native characters from the user converted to UTF-8 for storage in the certificate. Presumably the user enters the Issuer and Subject data in a GUI or at a command line in a shell that is using Big5 or GB-18030 character encoding. The application must convert the entered data into UTF-8 to pass to the cert creation process. There's a million ways to do that conversion (an excellent best tool is ICU). Fascinating. Good luck with it. I'd like to hear what your progress is +-+-+-+-+-+-+ Dave McLellan, Symmetrix Software EMC Corporation, 228 South St, Hopkinton MA Mail Stop LL/AA-24 office 508-249-1257, fax 508-544-2129 cell 978-500-2546, IM: mclellan_d...@yahoo.com +-+-+-+-+-+-+ -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Shaw Graham George Sent: Thursday, November 19, 2009 8:08 AM To: openssl-users@openssl.org Subject: Creating a certificate with Unicode characters in Issuer and Subject Hi, I have a requirement to make some test keys/certificates that contain Unicode (Chinese) data in the Issuer and Subject fields. Print-out from an example certificate using "openssl x509" is: Issuer: C=\x00C\x00N, ST=\x00G\x00u\x00a\x00n\x00g\x00d\x00o\x00n\x00g, L=\x00G\x00u\x00a\x00n\x00g\x00z\x00h\x00o\x00u, O=\x00G\x00D\x00C\x00A\x00 \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00 \x00A\x00u\x00t\x00h\x00o\x00r\x00i\x00t\x00y Subject: C=\x00C\x00N, ST=^\x7FN\x1Cw\x01, L=^\x7F]\xDE^\x02, ... Is this at all possible using the openssl tool? From the manual pages it seems that UTF-8 is supported, but not Unicode - for example the config man page says that null characters in strings is not allowed. If not, then does anybody know of any other tools that I could use to make my test keys/certificates. Thanks in advance, George. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
