ca.c: Partially revert incorrect simplification of string check

Fixes 25c2ada89
Fixes Coverity 1688667

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Wed Mar 18 13:32:01 2026
(Merged from https://github.com/openssl/openssl/pull/30460)

diff --git a/apps/ca.c b/apps/ca.c
index 208d22286d0bb5a749f319eacee6360d90c97da1..d167b21d433b973c408ada8f7c027543ec482a63 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1522,14 +1522,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
                 "\nemailAddress type needs to be of type IA5STRING\n");
             goto end;
         }
-        j = ASN1_PRINTABLE_type(ASN1_STRING_get0_data(str),
-            ASN1_STRING_length(str));
-        if ((type == V_ASN1_T61STRING && j != V_ASN1_T61STRING)
-            || (type == V_ASN1_IA5STRING && type == V_ASN1_PRINTABLESTRING)) {
-            BIO_puts(bio_err,
-                "\nThe string contains characters that are illegal for the"
-                " ASN.1 type\n");
-            goto end;
+        if (type != V_ASN1_BMPSTRING && type != V_ASN1_UTF8STRING) {
+            j = ASN1_PRINTABLE_type(ASN1_STRING_get0_data(str),
+                ASN1_STRING_length(str));
+            if ((j == V_ASN1_T61STRING && type != V_ASN1_T61STRING)
+                || (j == V_ASN1_IA5STRING && type == V_ASN1_PRINTABLESTRING)) {
+                BIO_puts(bio_err,
+                    "\nThe string contains characters that are illegal for the"
+                    " ASN.1 type\n");
+                goto end;
+            }
         }
 
         if (default_op)