I have created a X.509 v3 client certificate using OpenSSL.
The CN and OU field contain UTF8 characters, in this case Thai
characters for testing purposes.
When I import this certificate into the Windows certificate store it
shows all fields correctly, ie I can actually see the Thai characters
I used.
However when I import the certificate into Firefox (3.04) and view the
certificate subject from Firefox (tools->options->advanced->view
certificates->view->details) then the UTF8 characters are not shown
correctly.
Serverside the certificate subject is interpreted correctly for
authentication purposes, when I use Firefox to go to a server to
authenticate against.
Does anybody know if there is a fix or perhaps an add-on for this,
since it appears to be a lack of UTF8 support in the browser.
For a screendump please refer to: http://www.vandersman.org/certstore.PNG
Thanks.
Kind regards,
Michael
> I have created a X.509 v3 client certificate using OpenSSL.
>
> The CN and OU field contain UTF8 characters, in this case Thai
> characters for testing purposes.
> [...] when I import the certificate into Firefox (3.04) and view the
> certificate subject from Firefox (tools->options->advanced->view
> certificates->view->details) then the UTF8 characters are not shown
> correctly.
> Does anybody know if there is a fix or perhaps an add-on for this,
> since it appears to be a lack of UTF8 support in the browser.
>
> For a screendump please refer to: http://www.vandersman.org/certstore.PNG
The screen shot shows 3 separate places in the cert viewer window where
the Thai characters are not displayed as one would expect. They are:
a) in the title bar
b) in the Certificate Hierarchy pane, and
c) in the Field Value pane for the Certificate Subject field
The first two of those problems were reported long ago in bug
https://bugzilla.mozilla.org/show_bug.cgi?id=234856
and have been known (and unfixed) for about 5 years now. (Sigh.)
Unfortunately, the component of Mozilla that does GUI display for
crypto/cert related aspects of Firefox is understaffed, and is certainly
underrepresented in this discussion group.
The third is something of a mystery to me, because it is not generally a
problem with other certs that have non-western characters in them.
I have certs with Chinese and Turkish characters in in their CN and O
fields, and they display correctly in the Field Value pane. So, I wonder
if this problem is a problem with the rendering of Thai characters, or
if it is perhaps a peculiarity with your system.
I suggest you file a bug about the problem of Thai characters not
displaying the Field Value pane of the cert manager. File it in bugzilla
using bug 234856 as a guide. Attach a copy of the binary DER cert to the
bug. Please put my email address on the CC list for that bug.
Are those fields encoded with UTF8String as they should be? Can you send a URL pointing to the cert to this list?
>
> Are those fields encoded with UTF8String as they should be? Can you send a URL pointing to the cert to this list?
Thanks for the super quick response. I got the details on my company
PC and will file the bug report and add the Cert as well as the other
details coming Monday afternoon.
Exactly, that's the crucial question. Chances are very high that the CN
and OU attributes are encoded as TeletexStrings/T61Strings - which means
that this is probably another manifestation of
https://bugzilla.mozilla.org/show_bug.cgi?id=458745.
Michael, try adding
string_mask = MASK:0x2002
to your OpenSSL config file and recreate the certificate - this will
most likely fix your problem for Firefox (with the exception of the
title bar display).
Kaspar
Interesting. The sequence าำ in the cert isn't valid thai. า is a vowel (roughly 'a' as in father) and ำ is a also a vowel (roughly 'om' as in 'Tom'), expecting a preceding consonant. They are usually written อา and อำ respectively. You can see that windows doesn't like this. It drops the อำ in the second display (probably because it was expecting a constant first). This almost certainly isn't the problem you are running into, but it would probably be a good idea to use an actual valid thai word once we identify the display problem.Initially I posted this on another support forum, but was kindly requested to post here instead: For a screendump please refer to: http://www.vandersman.org/certstore.PNG
Thanks. Kind regards, Michael _______________________________________________ dev-tech-crypto mailing list dev-tec...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
The required CA chain can be found here:
www.boraxx.nl/Mozilla/ChainUCAcert.pem
The CN and OU attributes in that cert, which (as I understand it) you
have said are UTF8 strings, are not encoded as UTF8 strings. That is,
the DER encoding in the certificate does not say they are UTF8 strings.
It says they are Teletex strings. This is an improper encoding for
UTF8 strings.
They do indeed appear to be UTF8 strings. The two strings are identical,
each containing 4 UTF8 characters, each of which occupies 3 bytes.
Nelson B Bolyard-2 wrote:
>
> mic...@vandersman.org wrote, On 2008-12-09 01:55:
> Just uploaded the certificate in DER and PEM file format.
> It can be found here:
> www.boraxx.nl/Mozilla/Thai.der
> www.boraxx.nl/Mozilla/Thai.crt
>
To generate cert with UTF8 attrs from cmd line (openssl(1)):
- set "string_mask = MASK:0x2002" in openssl.cnf
- add "-utf8" flag in "openssl req" when generating cert request
To generate cert with UTF8 attrs programmatically (ssl(3)):
- use MBSTRING_UTF8 encoding in
X509_NAME_ENTRY_create_by_NID/X509_NAME_add_entry_by_NID and the friends
To check that the attrs of the resulted cert have correct encoding
# openssl asn1parse -in <yourcert>
-----
-- Andrei Korostelev
--
View this message in context: http://www.nabble.com/UTF8-support-in-the-Firefox-certificate-store--tp20870628p21541907.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.