[gnutls-devel] Restrictions on tag types
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jun 1 19:48:28 CEST 2014
On Sun, 2014-06-01 at 12:44 +0200, Kurt Roeckx wrote:
> Hi,
>
> In lib/x509/common.c there is this:
> [...]
> ENTRY("2.5.4.6", "C", NULL, ASN1_ETYPE_PRINTABLE_STRING),
> ENTRY("2.5.4.9", "street", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> ENTRY("2.5.4.12", "title", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> ENTRY("2.5.4.10", "O", "PKIX1.DirectoryString", ASN1_ETYPE_INVALID),
> [...]
> I'm seeing certificates that encode the "C" with an UTF8String and
> not a PrintableString, which then result in getting an error that
> it has invalid DER.
It is invalid encoding as RFC5280 specifies:
X520countryName ::= PrintableString
How common are these certificates? Are they so widespread we would need
to add support for them?
> "C" can of course only contain a certain amount of characters. But
> I don't see why it shouldn't be allowed to encode this is whatever
> charset they want. Since they should use either PrintableString
> or UTF8String in a DN it makes sense to me that they would do
> everything in UTF8String even when not needed.
> Is there a good reason to only allow PrintableString?
We just follow the protocol :) The names that allow multiple encodings
are encoded as DirectoryString not as PrintableString.
regards,
Nikos
More information about the Gnutls-devel
mailing list