Univention Bugzilla – Bug 30722
Broken handling of Umlauts in SSL certificates
Last modified: 2013-11-19 06:41:36 CET
It's not yet clear where this problem comes from, but it might be a system setup issue. +++ This bug was initially created as a clone of Bug #30461 +++ .... Also notice that the city of u"Gießen" is displayed as "Gie\xC3\x9Fen": >>> print repr("Gie\xC3\x9Fen".decode('utf-8')) u'Gie\xdfen'
mkdir /root/ssl cd /root/ssl cat >openssl.cnf <<__SSL__ dir = /root/ssl [ ca ] default_ca = testca [ testca ] certs = $dir/certs crl_dir = $dir/crls database = $dir/index.txt new_certs_dir = $dir/certs certificate = $dir/certs/ca.pem serial = $dir/serial crl = $dir/crl/crl.pem private_key = $dir/private/ca.key RANDFILE = $dir/private/.rand x509_extensions = usr_cert default_days = 365 default_crl_days= 30 default_md = sha1 preserve = no policy = mypolicy x509_extensions = certificate_extensions string_mask = utf8only [ mypolicy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_keyfile = $dir/private/ca.key default_md = sha1 prompt = no subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer string_mask = utf8only basicConstraints = CA:true distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] countryName = DE stateOrProvinceName = Hesse localityName = Gießen emailAddress = certs@example.com organizationName = Umlauttest commonName = My Personal CA [ root_ca_extensions ] basicConstraints = CA:true __SSL__ mkdir certs private crl echo "01" > serial touch index.txt openssl req -config openssl.cnf -x509 -nodes -days 3650 -newkey rsa:2048 -out certs/ca.pem -outform PEM -keyout private/ca.key -utf8 openssl x509 -noout -subject -in certs/ca.pem -nameopt oneline,-esc_msb subject= C = DE, ST = Hesse, L = Gießen, emailAddress = certs@example.com, O = Umlauttest, CN = My Personal CA See <https://www.openssl.org/docs/apps/x509.html#NAME_OPTIONS> <http://linux.die.net/man/3/x509_name_print_ex> ... As noted on the asn1_string_print_ex(3) manual page for UTF8 terminals the ASN1_STRFLGS_ESC_MSB should be unset ... # python import x509 x509 = X509.load_cert(open('certs/ca.pem', 'r'), format=X509.FORMAT_PEM) subj = x509.get_subject() flags = X509.m2.XN_FLAG_ONELINE & ~X509.m2.ASN1_STRFLGS_ESC_MSB print subj.as_text(flags=flags).decode('utf8') # C = DE, ST = Hesse, L = Gießen, emailAddress=..., O=..., CN=... flags = X509.m2.XN_FLAG_SEP_MULTILINE & ~X509.m2.ASN1_STRFLGS_ESC_MSB | X509.m2.ASN1_STRFLGS_UTF8_CONVERT print s.as_text(flags=flags).decode('utf8').split(u'\n')[2] # L=Gießen
Created attachment 5136 [details] 13 cleanups and fixes $ diffstat -p5 ~/BUG/30722_umlaut-cert.diff univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py | 634 ++++------ univention-directory-manager-modules/modules/univention/admin/password.py | 54 univention-directory-manager-modules/modules/univention/admin/syntax.py | 20 univention-management-console-module-udm/umc/python/udm/__init__.py | 19 4 files changed, 310 insertions(+), 417 deletions(-) fffb75c Bug #30722: Fix certificate handling 7c131d6 Bug #25279: Code cleanup 75b3608 Bug #25279: Remove getbytes() 1ced12a Bug #25279: Simplify hex decode/encode c482f36 Bug #25279: Cleanup password function 743c09b Bug #25279: simplify __getPwHistory 4c2ac16 Bug #28496: Simplify samba-logonhour e58ef69 Bug #25279: Simplify list comprehension 6c43e26 Bug #25279: Simplify string handling b8b97f3 Bug #25279: Shorten univention.debug 28249c1 Bug #25279: remove obsolete function 72e804a Bug #25279: Fix regression test ffcd4f7 Bug #25279: Change pwExpiry unset
(In reply to Philipp Hahn from comment #2) > Created attachment 5136 [details] > 13 cleanups and fixes > > $ diffstat -p5 ~/BUG/30722_umlaut-cert.diff Please apply only the relevant part of the patch. Everything else should be split into separate bugs.
r43982 | Bug #30722: Fix umlaut handling in certificates univention-directory-manager-modules_9.0.29-1.1072.201309130937 ChangeLog: r43993 Umlauts in certificates are now imported and shown correctly For testing: 1. setup a new VM; Configure the SSL-CA do contain umlauts. 2. Convert /etc/univention/ssl/`hostname`/cert.pem to DER: openssl x509 -inform perm -in /etc/univention/ssl/`hostname`/cert.pem -outform der -out /tmp/cert.der 3. Create new user: select umc/user/option/certificate and import /tmp/cert.der in umc/user/extended/certificat
ok: umlauts are shown correctly now. ok: changelog 3.2
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".