Search code examples
opensslssl-certificateasn.1

Is it possible to generate a certificate fully in BMPString encoding?

While creating certificates using openssl command, I'm using a custom config file like this:

prompt = no
distinguished_name = dn
req_extensions = ext
string_mask = pkix

[dn]
CN = распространенное имя
emailAddress = envek@envek.com
O = Организация
OU = SSL Test
L = Москва
C = RU

[ext]
subjectAltName = DNS:BMPString.com,DNS:*.BMPString.com

Now when I do asn1parse using this command:

openssl asn1parse -in bmp.crt -i -strparse 200

    0:d=0  hl=3 l= 243 cons: SEQUENCE
    3:d=1  hl=2 l=  87 cons:  SET
    5:d=2  hl=2 l=  85 cons:   SEQUENCE
    7:d=3  hl=2 l=   3 prim:    OBJECT            :commonName
   12:d=3  hl=2 l=  78 prim:    BMPSTRING
   92:d=1  hl=2 l=  30 cons:  SET
   94:d=2  hl=2 l=  28 cons:   SEQUENCE
   96:d=3  hl=2 l=   9 prim:    OBJECT            :emailAddress
  107:d=3  hl=2 l=  15 prim:    IA5STRING         :envek@envek.com
  124:d=1  hl=2 l=  53 cons:  SET
  126:d=2  hl=2 l=  51 cons:   SEQUENCE
  128:d=3  hl=2 l=   3 prim:    OBJECT            :organizationName
  133:d=3  hl=2 l=  44 prim:    BMPSTRING
  179:d=1  hl=2 l=  17 cons:  SET
  181:d=2  hl=2 l=  15 cons:   SEQUENCE
  183:d=3  hl=2 l=   3 prim:    OBJECT            :organizationalUnitName
  188:d=3  hl=2 l=   8 prim:    PRINTABLESTRING   :SSL Test
  198:d=1  hl=2 l=  33 cons:  SET
  200:d=2  hl=2 l=  31 cons:   SEQUENCE
  202:d=3  hl=2 l=   3 prim:    OBJECT            :localityName
  207:d=3  hl=2 l=  24 prim:    BMPSTRING
  233:d=1  hl=2 l=  11 cons:  SET
  235:d=2  hl=2 l=   9 cons:   SEQUENCE
  237:d=3  hl=2 l=   3 prim:    OBJECT            :countryName
  242:d=3  hl=2 l=   2 prim:    PRINTABLESTRING   :RU

CN, OrganizationName, LocalityName are all in BMPString but not OrganizationalUnitName.

I understand the logic as all characters come under the umbrella of PrintableString in OrganizationalUnitName and that's why it's been encoded in the same.

But I want to automatically encode "PrintableString" characters in BMPString, is that possible?

Edit 1: Changed "except" to "but not".

Edit 2: Removed Email from "CN, Email, OrganizationName, LocalityName are all in BMPString but not OrganizationalUnitName."

Solution

  • CN, Email, OrganizationName, LocalityName are all in BMPString except OrganizationalUnitName

    Minor: 'except' in English means a subtraction from what is stated previously or in general elsewhere; it's wrong to say 'X except Y' when Y is not included in X. What I belive you mean can properly be stated like "CN, email, Org, Locality are [all] in BMPString but not OrgUnit".

    Major: email is NOT in BMPString. See below.

    For attributes that are defined as DirectoryString in the standards, which depending on the version of ASN.1 is either a CHOICE type or a macro that expands to a CHOICE type, and is used by most of the attributes you have, configuring string_mask=MASK:0x800 forces them to BMPString.

    However, the standards require Country must be PrintableString and email must be IA5String; these are not defined as DirectoryString and are not allowed to be encoded as BMPString.

    I assume you realize that PKIX standards have prohibited BMPString for DN attributes for 18 years, so any software used on the Internet and maintained well enough to be safe to use today should reject your certs. That doesn't prevent you creating them, though.