From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 17 Mar 2026 11:37:11 +0000 (+0100)
Subject: ca.c: Partially revert incorrect simplification of string check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8911fedcda3075bdcd172fb9f6f1425b87b58bdf;p=thirdparty%2Fopenssl.git

ca.c: Partially revert incorrect simplification of string check

Fixes 25c2ada89
Fixes Coverity 1688667

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 18 13:32:01 2026
(Merged from https://github.com/openssl/openssl/pull/30460)
---

diff --git a/apps/ca.c b/apps/ca.c
index 208d22286d0..d167b21d433 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1522,14 +1522,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
                 "\nemailAddress type needs to be of type IA5STRING\n");
             goto end;
         }
-        j = ASN1_PRINTABLE_type(ASN1_STRING_get0_data(str),
-            ASN1_STRING_length(str));
-        if ((type == V_ASN1_T61STRING && j != V_ASN1_T61STRING)
-            || (type == V_ASN1_IA5STRING && type == V_ASN1_PRINTABLESTRING)) {
-            BIO_puts(bio_err,
-                "\nThe string contains characters that are illegal for the"
-                " ASN.1 type\n");
-            goto end;
+        if (type != V_ASN1_BMPSTRING && type != V_ASN1_UTF8STRING) {
+            j = ASN1_PRINTABLE_type(ASN1_STRING_get0_data(str),
+                ASN1_STRING_length(str));
+            if ((j == V_ASN1_T61STRING && type != V_ASN1_T61STRING)
+                || (j == V_ASN1_IA5STRING && type == V_ASN1_PRINTABLESTRING)) {
+                BIO_puts(bio_err,
+                    "\nThe string contains characters that are illegal for the"
+                    " ASN.1 type\n");
+                goto end;
+            }
         }
 
         if (default_op)