x509: Encode challenge passwords as PrintableString if possible

As recommended by RFC 2985, section 5.4.1:

  ChallengePassword attribute values generated in accordance with this
  version of this document SHOULD use the PrintableString encoding
  whenever possible.  If internationalization issues make this
  impossible, the UTF8String alternative SHOULD be used.

Even though the RFC continues with

  PKCS #9-attribute processing systems MUST be able to recognize and
  process all string types in DirectoryString values.

there might be older SCEP server implementations that don't accept
UTF8String-encoded passwords.  In particular because previous versions of
PKCS#9 defined this attribute's type as a CHOICE between PrintableString
and T61String.

References strongswan/strongswan#1831

diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c
index d3e6104ae18d008fc26f16f95edbbd907ca4118e..f3c71df415e6a0516c180d4885f69866b0c980d4 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_pkcs10.c
+++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c
@@ -350,10 +350,13 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key,
        /* encode challengePassword attribute */
        if (cert->challengePassword.len > 0)
        {
+               asn1_t type = asn1_is_printablestring(cert->challengePassword) ?
+                                                                               ASN1_PRINTABLESTRING : ASN1_UTF8STRING;
+
                challengePassword = asn1_wrap(ASN1_SEQUENCE, "mm",
                                asn1_build_known_oid(OID_CHALLENGE_PASSWORD),
                                asn1_wrap(ASN1_SET, "m",
-                                       asn1_simple_object(ASN1_UTF8STRING, cert->challengePassword)
+                                       asn1_simple_object(type, cert->challengePassword)
                                ));
        }