From 8e88d562064821bbb30e831906e1feed11016389 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 30 Apr 2024 16:46:34 +0200 Subject: [PATCH] x509: Encode challenge passwords as PrintableString if possible As recommended by RFC 2985, section 5.4.1: ChallengePassword attribute values generated in accordance with this version of this document SHOULD use the PrintableString encoding whenever possible. If internationalization issues make this impossible, the UTF8String alternative SHOULD be used. Even though the RFC continues with PKCS #9-attribute processing systems MUST be able to recognize and process all string types in DirectoryString values. there might be older SCEP server implementations that don't accept UTF8String-encoded passwords. In particular because previous versions of PKCS#9 defined this attribute's type as a CHOICE between PrintableString and T61String. References strongswan/strongswan#1831 --- src/libstrongswan/plugins/x509/x509_pkcs10.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index d3e6104ae1..f3c71df415 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -350,10 +350,13 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key, /* encode challengePassword attribute */ if (cert->challengePassword.len > 0) { + asn1_t type = asn1_is_printablestring(cert->challengePassword) ? + ASN1_PRINTABLESTRING : ASN1_UTF8STRING; + challengePassword = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_CHALLENGE_PASSWORD), asn1_wrap(ASN1_SET, "m", - asn1_simple_object(ASN1_UTF8STRING, cert->challengePassword) + asn1_simple_object(type, cert->challengePassword) )); } -- 2.39.2