Bug 30722 - Broken handling of Umlauts in SSL certificates
Broken handling of Umlauts in SSL certificates
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: System setup
UCS 3.1
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Philipp Hahn
Lukas Walter
: interim-2
Depends on:
Blocks: 32583
  Show dependency treegraph
 
Reported: 2013-03-08 13:12 CET by Lukas Walter
Modified: 2013-11-19 06:41 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Cleanup, Internationalization
Max CVSS v3 score:
hahn: Patch_Available+


Attachments
13 cleanups and fixes (70.47 KB, patch)
2013-03-18 09:38 CET, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas Walter univentionstaff 2013-03-08 13:12:43 CET
It's not yet clear where this problem comes from, but it might be a system setup issue.

+++ This bug was initially created as a clone of Bug #30461 +++

....

Also notice that the city of u"Gießen" is displayed as "Gie\xC3\x9Fen":
>>> print repr("Gie\xC3\x9Fen".decode('utf-8'))
u'Gie\xdfen'
Comment 1 Philipp Hahn univentionstaff 2013-03-12 16:28:26 CET
mkdir /root/ssl
cd /root/ssl
cat >openssl.cnf <<__SSL__
dir = /root/ssl
[ ca ]
default_ca      = testca
[ testca ]
certs = $dir/certs
crl_dir = $dir/crls
database = $dir/index.txt
new_certs_dir = $dir/certs
certificate = $dir/certs/ca.pem
serial = $dir/serial
crl = $dir/crl/crl.pem
private_key = $dir/private/ca.key
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
default_days = 365
default_crl_days= 30
default_md = sha1
preserve = no
policy = mypolicy
x509_extensions = certificate_extensions
string_mask = utf8only
[ mypolicy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_keyfile = $dir/private/ca.key
default_md = sha1
prompt = no
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
string_mask = utf8only
basicConstraints = CA:true
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
countryName = DE
stateOrProvinceName = Hesse
localityName = Gießen
emailAddress = certs@example.com
organizationName = Umlauttest
commonName = My Personal CA
[ root_ca_extensions ]
basicConstraints = CA:true
__SSL__
mkdir certs private crl
echo "01" > serial
touch index.txt
openssl req -config openssl.cnf -x509 -nodes -days 3650 -newkey rsa:2048 -out certs/ca.pem -outform PEM -keyout private/ca.key -utf8
openssl x509 -noout -subject -in certs/ca.pem -nameopt oneline,-esc_msb

subject= C = DE, ST = Hesse, L = Gießen, emailAddress = certs@example.com, O = Umlauttest, CN = My Personal CA


See
<https://www.openssl.org/docs/apps/x509.html#NAME_OPTIONS>
<http://linux.die.net/man/3/x509_name_print_ex>
... As noted on the asn1_string_print_ex(3) manual page for UTF8 terminals the ASN1_STRFLGS_ESC_MSB should be unset ...


# python
import x509
x509 = X509.load_cert(open('certs/ca.pem', 'r'), format=X509.FORMAT_PEM)
subj = x509.get_subject()
flags = X509.m2.XN_FLAG_ONELINE & ~X509.m2.ASN1_STRFLGS_ESC_MSB
print subj.as_text(flags=flags).decode('utf8')
# C = DE, ST = Hesse, L = Gießen, emailAddress=..., O=..., CN=...
flags = X509.m2.XN_FLAG_SEP_MULTILINE & ~X509.m2.ASN1_STRFLGS_ESC_MSB | X509.m2.ASN1_STRFLGS_UTF8_CONVERT
print s.as_text(flags=flags).decode('utf8').split(u'\n')[2]
# L=Gießen
Comment 2 Philipp Hahn univentionstaff 2013-03-18 09:38:55 CET
Created attachment 5136 [details]
13 cleanups and fixes

$ diffstat -p5 ~/BUG/30722_umlaut-cert.diff
 univention-directory-manager-modules/modules/univention/admin/handlers/users/user.py |  634 ++++------
 univention-directory-manager-modules/modules/univention/admin/password.py            |   54 
 univention-directory-manager-modules/modules/univention/admin/syntax.py              |   20 
 univention-management-console-module-udm/umc/python/udm/__init__.py                  |   19 
 4 files changed, 310 insertions(+), 417 deletions(-)

fffb75c Bug #30722: Fix certificate handling
7c131d6 Bug #25279: Code cleanup
75b3608 Bug #25279: Remove getbytes()
1ced12a Bug #25279: Simplify hex decode/encode
c482f36 Bug #25279: Cleanup password function
743c09b Bug #25279: simplify __getPwHistory
4c2ac16 Bug #28496: Simplify samba-logonhour
e58ef69 Bug #25279: Simplify list comprehension
6c43e26 Bug #25279: Simplify string handling
b8b97f3 Bug #25279: Shorten univention.debug
28249c1 Bug #25279: remove obsolete function
72e804a Bug #25279: Fix regression test
ffcd4f7 Bug #25279: Change pwExpiry unset
Comment 3 Stefan Gohmann univentionstaff 2013-09-12 14:00:38 CEST
(In reply to Philipp Hahn from comment #2)
> Created attachment 5136 [details]
> 13 cleanups and fixes
> 
> $ diffstat -p5 ~/BUG/30722_umlaut-cert.diff

Please apply only the relevant part of the patch. Everything else should be split into separate bugs.
Comment 4 Philipp Hahn univentionstaff 2013-09-13 09:55:05 CEST
r43982 | Bug #30722: Fix umlaut handling in certificates
univention-directory-manager-modules_9.0.29-1.1072.201309130937

ChangeLog: r43993
Umlauts in certificates are now imported and shown correctly

For testing:
1. setup a new VM; Configure the SSL-CA do contain umlauts.
2. Convert /etc/univention/ssl/`hostname`/cert.pem to DER:
  openssl x509 -inform perm -in /etc/univention/ssl/`hostname`/cert.pem -outform der -out /tmp/cert.der
3. Create new user: select umc/user/option/certificate and import /tmp/cert.der in umc/user/extended/certificat
Comment 5 Lukas Walter univentionstaff 2013-09-18 11:31:17 CEST
ok: umlauts are shown correctly now.
ok: changelog 3.2
Comment 6 Stefan Gohmann univentionstaff 2013-11-19 06:41:36 CET
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".