From 5533e2533af88316226eed609913da52232d4103 Mon Sep 17 00:00:00 2001 From: "D.S. Ljungmark" Date: Sat, 31 May 2014 13:18:41 +0200 Subject: [PATCH 1/3] Set the string-mask to utf8only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If subject had utf-8 characters in them, the encoding chosen by OpenSSL for defaults T61. From the OpenSSL source code: * utf8only : only use UTF8Strings (RFC2459 recommendation for 2004). That was 10 years ago, and the last remnant that had problems with it was Netscape, which is no longer a problem. A request changes from: 13:d=5 hl=2 l= 3 prim: OBJECT :commonName 18:d=5 hl=2 l= 9 prim: T61STRING :Gurka ��� To: 13:d=5 hl=2 l= 3 prim: OBJECT :commonName 18:d=5 hl=2 l= 12 prim: UTF8STRING :Gurka åäö OpenSSL/test/test_crypto.py Update test DER data to have utf8string. ( \x0c instead of \0x13, PrintableString ) --- OpenSSL/crypto.py | 3 +++ OpenSSL/test/test_crypto.py | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py index 50ff74fad..4999194d8 100644 --- a/OpenSSL/crypto.py +++ b/OpenSSL/crypto.py @@ -463,6 +463,9 @@ def __setattr__(self, name, value): if isinstance(value, _text_type): value = value.encode('utf-8') + # Make it so OpenSSL generates utf-8 strings. + _lib.ASN1_STRING_set_default_mask_asc(b'utf8only') + add_result = _lib.X509_NAME_add_entry_by_NID( self._name, nid, _lib.MBSTRING_UTF8, value, -1, -1, 0) if not add_result: diff --git a/OpenSSL/test/test_crypto.py b/OpenSSL/test/test_crypto.py index f6f075154..73e9cc7ef 100644 --- a/OpenSSL/test/test_crypto.py +++ b/OpenSSL/test/test_crypto.py @@ -1003,7 +1003,7 @@ def test_der(self): self.assertEqual( a.der(), b('0\x1b1\x0b0\t\x06\x03U\x04\x06\x13\x02US' - '1\x0c0\n\x06\x03U\x04\x03\x13\x03foo')) + '1\x0c0\n\x06\x03U\x04\x03\x0c\x03foo')) def test_get_components(self): From 349e1361c99af7b7e0b159f0df9d04949f8b0698 Mon Sep 17 00:00:00 2001 From: "D.S. Ljungmark" Date: Sat, 31 May 2014 18:40:38 +0200 Subject: [PATCH 2/3] Moving string mask to end of file to perform initialization at the same time as other code. --- OpenSSL/crypto.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py index 4999194d8..c7bdabc0c 100644 --- a/OpenSSL/crypto.py +++ b/OpenSSL/crypto.py @@ -463,9 +463,6 @@ def __setattr__(self, name, value): if isinstance(value, _text_type): value = value.encode('utf-8') - # Make it so OpenSSL generates utf-8 strings. - _lib.ASN1_STRING_set_default_mask_asc(b'utf8only') - add_result = _lib.X509_NAME_add_entry_by_NID( self._name, nid, _lib.MBSTRING_UTF8, value, -1, -1, 0) if not add_result: @@ -2640,3 +2637,9 @@ def locking_function(mode, index, filename, line): # This is similar but exercised mainly by exception_from_error_queue. It calls # both ERR_load_crypto_strings() and ERR_load_SSL_strings(). _lib.SSL_load_error_strings() + + + +# Set the default string mask to match OpenSSL upstream (since 2005) and +# RFC5280 recommendations. +_lib.ASN1_STRING_set_default_mask_asc(b'utf8only') From fdca95d4ac133dcfe5d53e5564e61a2b48c7657e Mon Sep 17 00:00:00 2001 From: Paul Kehrer Date: Wed, 15 Apr 2015 12:59:13 -0400 Subject: [PATCH 3/3] add changelog --- ChangeLog | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 5abdf38e4..61bfa5db4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,14 @@ -2011-09-02 Hynek Schlawack +2015-04-15 Paul Kehrer + + * OpenSSL/crypto.py, OpenSSL/test/test_crypto.py: Switch to utf8string + mask by default. OpenSSL formerly defaulted to a T61String if there + were UTF-8 characters present. This was changed to default to + UTF8String in the config around 2005, but the actual code didn't + change it until late last year. This will default us to the setting + that actually works. To revert this you can call + crypto._lib.ASN1_STRING_set_default_mask_asc(b"default") + +2015-04-14 Hynek Schlawack * Release 0.15.1