openssl x509 issue with utf8 issuer
jduprat opened this issue · 2 comments
jduprat commented
The attached certificate contains utf8 strings (though in fact only ascii-representable characters).
It can be printed properly by OpenSSL, but not by LibreSSL.
Works:
$ openssl version
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
$ openssl x509 -noout -text -nameopt utf8 -in TestCert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:33:ce:4a:96:5b:f3:a5:b9:0e:6f:9d:9a:4f:66:86
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=US, O=Test, CN=Test CA
Validity
Not Before: Apr 18 20:51:05 2023 GMT
Not After : Apr 14 20:51:05 2038 GMT
Subject: C=US, O=Test, CN=Test CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
<SNIP>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
80:15:59:5C:DE:4E:41:C0:7B:0A:F5:DE:98:52:6A:90:74:C7:29:03
X509v3 Authority Key Identifier:
80:15:59:5C:DE:4E:41:C0:7B:0A:F5:DE:98:52:6A:90:74:C7:29:03
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
<SNIP>
Broken:
$ src/libressl-3.7.2/apps/openssl/openssl x509 -noout -text -nameopt utf8 -in TestCert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:33:ce:4a:96:5b:f3:a5:b9:0e:6f:9d:9a:4f:66:86
Signature Algorithm: sha512WithRSAEncryption
Issuer:<EOF>
Works:
$ src/libressl-3.7.2/apps/openssl/openssl x509 -noout -text -nameopt utf8,sep_multiline -in TestCert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
cc:33:ce:4a:96:5b:f3:a5:b9:0e:6f:9d:9a:4f:66:86
Signature Algorithm: sha512WithRSAEncryption
Issuer:
C=US
O=Test
CN=Test CA
Validity
Not Before: Apr 18 20:51:05 2023 GMT
Not After : Apr 14 20:51:05 2038 GMT
Subject:
C=US
O=Test
CN=Test CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
<SNIP>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
80:15:59:5C:DE:4E:41:C0:7B:0A:F5:DE:98:52:6A:90:74:C7:29:03
X509v3 Authority Key Identifier:
keyid:80:15:59:5C:DE:4E:41:C0:7B:0A:F5:DE:98:52:6A:90:74:C7:29:03
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha512WithRSAEncryption
<SNIP>
More concisely,
$ src/libressl-3.7.2/apps/openssl/openssl x509 -noout -nameopt utf8 -in TestCert.pem -issuer
issuer=<EOF>
$ src/libressl-3.7.2/apps/openssl/openssl x509 -noout -nameopt utf8,sep_multiline -in TestCert.pem -issuer
issuer=
C=US
O=Test
CN=Test CA
Note that the only utf8 bits in this cert are in the issuer (and subject since self-signed), not sure if this is more pervasive:
$ openssl asn1parse -in TestCert.pem | grep UTF8STRING
71:d=5 hl=2 l= 4 prim: UTF8STRING :Test
86:d=5 hl=2 l= 7 prim: UTF8STRING :Test CA
151:d=5 hl=2 l= 4 prim: UTF8STRING :Test
166:d=5 hl=2 l= 7 prim: UTF8STRING :Test CA
FWIW, zlint reports no issues with the certificate:
$ zlint --version
ZLint version v3.4.0-rc1-11-g997ad514
$ zlint -summary TestCert.pem
| LEVEL | # OCCURRENCES |
+-------+---------------+
| info | 0 |
| warn | 0 |
| error | 0 |
| fatal | 0 |
botovq commented
Thanks for the detailed report. The reason for the difference in
behavior is this bug fix, which we don't have. We should probably pull
a version of it in.
openssl/openssl@03706af
botovq commented
Fixed in libressl/openbsd@7a6c0cc