UTF8 support in the Firefox certificate store?

Initially I posted this on another support forum, but was kindly
requested to post here instead:

I have created a X.509 v3 client certificate using OpenSSL.

The CN and OU field contain UTF8 characters, in this case Thai
characters for testing purposes.

When I import this certificate into the Windows certificate store it
shows all fields correctly, ie I can actually see the Thai characters
I used.

However when I import the certificate into Firefox (3.04) and view the
certificate subject from Firefox (tools->options->advanced->view
certificates->view->details) then the UTF8 characters are not shown
correctly.

Serverside the certificate subject is interpreted correctly for
authentication purposes, when I use Firefox to go to a server to
authenticate against.

Does anybody know if there is a fix or perhaps an add-on for this,
since it appears to be a lack of UTF8 support in the browser.

For a screendump please refer to: http://www.vandersman.org/certstore.PNG

Thanks.

Kind regards,

Michael

0
michael
12/6/2008 2:13:45 PM
mozilla.dev.tech.crypto 2018 articles. 1 followers. Post Follow

8 Replies
381 Views

Similar Articles

[PageSpeed] 23

michael@vandersman.org wrote, On 2008-12-06 06:13 PST:

> I have created a X.509 v3 client certificate using OpenSSL.
> 
> The CN and OU field contain UTF8 characters, in this case Thai
> characters for testing purposes.

> [...] when I import the certificate into Firefox (3.04) and view the
> certificate subject from Firefox (tools->options->advanced->view
> certificates->view->details) then the UTF8 characters are not shown
> correctly.

> Does anybody know if there is a fix or perhaps an add-on for this,
> since it appears to be a lack of UTF8 support in the browser.
> 
> For a screendump please refer to: http://www.vandersman.org/certstore.PNG

The screen shot shows 3 separate places in the cert viewer window where
the Thai characters are not displayed as one would expect.  They are:
a) in the title bar
b) in the Certificate Hierarchy pane, and
c) in the Field Value pane for the Certificate Subject field

The first two of those problems were reported long ago in bug
https://bugzilla.mozilla.org/show_bug.cgi?id=234856
and have been known (and unfixed) for about 5 years now.   (Sigh.)
Unfortunately, the component of Mozilla that does GUI display for
crypto/cert related aspects of Firefox is understaffed, and is certainly
underrepresented in this discussion group.

The third is something of a mystery to me, because it is not generally a
problem with other certs that have non-western characters in them.
I have certs with Chinese and Turkish characters in in their CN and O
fields, and they display correctly in the Field Value pane.  So, I wonder
if this problem is a problem with the rendering of Thai characters, or
if it is perhaps a peculiarity with your system.

I suggest you file a bug about the problem of Thai characters not
displaying the Field Value pane of the cert manager.  File it in bugzilla
using bug 234856 as a guide.  Attach a copy of the binary DER cert to the
bug.  Please put my email address on the CC list for that bug.
0
Nelson
12/6/2008 3:21:15 PM
At 6:13 AM -0800 12/6/08, michael@vandersman.org wrote:
>Initially I posted this on another support forum, but was kindly
>requested to post here instead:
>
>I have created a X.509 v3 client certificate using OpenSSL.
>
>The CN and OU field contain UTF8 characters, in this case Thai
>characters for testing purposes.

Are those fields encoded with UTF8String as they should be? Can you send a URL pointing to the cert to this list?

0
Paul
12/6/2008 3:30:47 PM
>
> Attach a copy of the binary DER cert to the bug.  Please put my email address on the CC list for that bug.

>
> Are those fields encoded with UTF8String as they should be? Can you send a URL pointing to the cert to this list?


Thanks  for the super quick response. I got the details on my company
PC and will file the bug report and add the Cert as well as the other
details coming Monday afternoon.
0
michael
12/6/2008 4:47:06 PM
Paul Hoffman wrote:
>> I have created a X.509 v3 client certificate using OpenSSL.
>> 
>> The CN and OU field contain UTF8 characters, in this case Thai 
>> characters for testing purposes.
> 
> Are those fields encoded with UTF8String as they should be?

Exactly, that's the crucial question. Chances are very high that the CN
and OU attributes are encoded as TeletexStrings/T61Strings - which means
that this is probably another manifestation of
https://bugzilla.mozilla.org/show_bug.cgi?id=458745.

Michael, try adding

  string_mask = MASK:0x2002

to your OpenSSL config file and recreate the certificate - this will
most likely fix your problem for Firefox (with the exception of the
title bar display).

Kaspar
0
Kaspar
12/7/2008 9:36:20 AM
This is a cryptographically signed message in MIME format.

--------------ms080904020209090808040103
Content-Type: multipart/alternative;
 boundary="------------050406050503020301090901"

This is a multi-part message in MIME format.
--------------050406050503020301090901
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

michael@vandersman.org wrote:
> Initially I posted this on another support forum, but was kindly
> requested to post here instead:
>
>
> For a screendump please refer to: http://www.vandersman.org/certstore.PNG
>   
Interesting. The sequence ?? in the cert isn't valid thai. ? is a vowel 
(roughly 'a' as in father) and ? is a also a vowel (roughly 'om' as in 
'Tom'), expecting a preceding consonant. They are usually written ?? and 
?? respectively. You can see that windows doesn't like this. It drops 
the ?? in the second display (probably because it was expecting a 
constant first). This almost certainly isn't the problem you are running 
into, but it would probably be a good idea to use an actual valid thai 
word once we identify the display problem.

?????????????  is the word for Certificate (well according to 
http://www.lingvozone.com/LingvoSoft-Online-English-Thai-Dictionary).

bob
> Thanks.
>
> Kind regards,
>
> Michael
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>   


--------------050406050503020301090901
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<a class="moz-txt-link-abbreviated" href="mailto:michael@vandersman.org">michael@vandersman.org</a> wrote:
<blockquote
 cite="midc18b2e88-0fbe-4a86-958e-4efb266d7163@33g2000yqm.googlegroups.com"
 type="cite">
  <pre wrap="">Initially I posted this on another support forum, but was kindly
requested to post here instead:


For a screendump please refer to: <a class="moz-txt-link-freetext" href="http://www.vandersman.org/certstore.PNG">http://www.vandersman.org/certstore.PNG</a>
  </pre>
</blockquote>
Interesting. The sequence &#3634;&#3635; in the cert isn't valid thai. &#3634; is a vowel
(roughly 'a' as in father) and &#3635; is a also a vowel (roughly 'om' as in
'Tom'), expecting a preceding consonant. They are usually written &#3629;&#3634;
and &#3629;&#3635; respectively. You can see that windows doesn't like this. It
drops the &#3629;&#3635; in the second display (probably because it was expecting a
constant first). This almost certainly isn't the problem you are
running into, but it would probably be a good idea to use an actual
valid thai word once we identify the display problem.<br>
<br>
<font class="tr_result">&#3611;&#3619;&#3632;&#3585;&#3634;&#3624;&#3609;&#3637;&#3618;&#3610;&#3633;&#3605;&#3619;</font>&nbsp; <font class="tr_result_2">
is the word for Certificate (well according to
<a class="moz-txt-link-freetext" href="http://www.lingvozone.com/LingvoSoft-Online-English-Thai-Dictionary">http://www.lingvozone.com/LingvoSoft-Online-English-Thai-Dictionary</a>).<br>
<br>
bob<br>
</font>
<blockquote
 cite="midc18b2e88-0fbe-4a86-958e-4efb266d7163@33g2000yqm.googlegroups.com"
 type="cite">
  <pre wrap="">
Thanks.

Kind regards,

Michael

_______________________________________________
dev-tech-crypto mailing list
<a class="moz-txt-link-abbreviated" href="mailto:dev-tech-crypto@lists.mozilla.org">dev-tech-crypto@lists.mozilla.org</a>
<a class="moz-txt-link-freetext" href="https://lists.mozilla.org/listinfo/dev-tech-crypto">https://lists.mozilla.org/listinfo/dev-tech-crypto</a>
  </pre>
</blockquote>
<br>
</body>
</html>

--------------050406050503020301090901--

--------------ms080904020209090808040103
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJrTCC
AzEwggKaoAMCAQICEG8oTHfviMq0nQYM3BNGDMQwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA3MTIxMzE3MjY1M1oX
DTA4MTIxMjE3MjY1M1owgYYxDzANBgNVBAQTBlJlbHllYTEUMBIGA1UEKhMLUm9iZXJ0IEpv
aG4xGzAZBgNVBAMTElJvYmVydCBKb2huIFJlbHllYTEdMBsGCSqGSIb3DQEJARYOYm9iQHJl
bHllYS5jb20xITAfBgkqhkiG9w0BCQEWEnJyZWx5ZWFAcmVkaGF0LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKoyUW3wnnjUVHF847PLuGViAbYefUXtK124O/51r8R/
ELI5H/6O43ci8FpExrlVhSkntcq51FJVgrxLGRXG4TxSQHEZvt6XLuxJTZ1FEVp0lu/haaJN
CkYjqSmzZOs9Sp60TapHxNhxz208n174JOC15gQ/Tj2tiKGnBs8t2AKv8rp/ruBPwPU8XtBF
wTeTVYODPeZ0vj+GFpxJ07n9oorxEmRF8z8xqBvxtdQTv+zm4LFMKXIsO6DvKwlegME9eFlr
6AB+YBYKPh5Bv6/nYERGLZgjThO/c6+dMbNK4SyXK3dEf5IyUpSFYLgcNLWJSC3kWD+2E8SL
NnSC1h82sIkCAwEAAaM/MD0wLQYDVR0RBCYwJIEOYm9iQHJlbHllYS5jb22BEnJyZWx5ZWFA
cmVkaGF0LmNvbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBACrEvGS9fQLEKdKF
Iw2EjAUMvl07rqDnn6u06Mf9Wku7ZwFbif6XRXaay+2NkK+fXSh5rsRbaa64yj/HphOm+X4y
ycM7XPV0ozOKMDC6WZmzWDGv+g1zkdrx7XlEpgbh2rW35/NFHhF8wQMbdxI604YxX8xEhbZ8
Xz3TwIhDpc26MIIDMTCCApqgAwIBAgIQbyhMd++IyrSdBgzcE0YMxDANBgkqhkiG9w0BAQUF
ADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRk
LjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDcx
MjEzMTcyNjUzWhcNMDgxMjEyMTcyNjUzWjCBhjEPMA0GA1UEBBMGUmVseWVhMRQwEgYDVQQq
EwtSb2JlcnQgSm9objEbMBkGA1UEAxMSUm9iZXJ0IEpvaG4gUmVseWVhMR0wGwYJKoZIhvcN
AQkBFg5ib2JAcmVseWVhLmNvbTEhMB8GCSqGSIb3DQEJARYScnJlbHllYUByZWRoYXQuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjJRbfCeeNRUcXzjs8u4ZWIBth59
Re0rXbg7/nWvxH8Qsjkf/o7jdyLwWkTGuVWFKSe1yrnUUlWCvEsZFcbhPFJAcRm+3pcu7ElN
nUURWnSW7+Fpok0KRiOpKbNk6z1KnrRNqkfE2HHPbTyfXvgk4LXmBD9OPa2IoacGzy3YAq/y
un+u4E/A9Txe0EXBN5NVg4M95nS+P4YWnEnTuf2iivESZEXzPzGoG/G11BO/7ObgsUwpciw7
oO8rCV6AwT14WWvoAH5gFgo+HkG/r+dgREYtmCNOE79zr50xs0rhLJcrd0R/kjJSlIVguBw0
tYlILeRYP7YTxIs2dILWHzawiQIDAQABoz8wPTAtBgNVHREEJjAkgQ5ib2JAcmVseWVhLmNv
bYEScnJlbHllYUByZWRoYXQuY29tMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEA
KsS8ZL19AsQp0oUjDYSMBQy+XTuuoOefq7Tox/1aS7tnAVuJ/pdFdprL7Y2Qr59dKHmuxFtp
rrjKP8emE6b5fjLJwztc9XSjM4owMLpZmbNYMa/6DXOR2vHteUSmBuHatbfn80UeEXzBAxt3
EjrThjFfzESFtnxfPdPAiEOlzbowggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHR
MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRv
d24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9u
IFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
Q0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMw
NzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh
d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZy
ZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftO
ucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Va
qj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e2
0TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6
MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENB
LmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJl
bDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0wh
uPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmO
jCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDcTCCA20C
AQEwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEG8o
THfviMq0nQYM3BNGDMQwCQYFKw4DAhoFAKCCAdAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEH
ATAcBgkqhkiG9w0BCQUxDxcNMDgxMjA5MDAxNzExWjAjBgkqhkiG9w0BCQQxFgQUkMuEtVxh
vsRxUBbkSZiyUWWzd4owXwYJKoZIhvcNAQkPMVIwUDALBglghkgBZQMEAQIwCgYIKoZIhvcN
AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC
AgEoMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg
Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h
aWwgSXNzdWluZyBDQQIQbyhMd++IyrSdBgzcE0YMxDCBhwYLKoZIhvcNAQkQAgsxeKB2MGIx
CzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSww
KgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQbyhMd++IyrSd
BgzcE0YMxDANBgkqhkiG9w0BAQEFAASCAQBO61IBR/SuTBfRlE42A/BfdRkZInNx3XyrzCkZ
OD0FlB70j5eu8aEICP+wR0zDMjF7rueVYvg0jkOkDtzdpI3H+BwFuNiEY/C5jHQr+Ek6ZHip
AXZ8slVFA8ZvAW9qD/QVjOfZzwDYYGeyXWdvBRx98qXPergizcpL0u1pE/DpYtyB09xtyOa5
2uR3eWZt7rce7C0/vDukrUSBikVvg+DZcItRGhutdU0q2mvZi4gsuXbTD3K/4cR5laT8/MYe
vzhslT6oCIvjGAS5c4zK38bpFnW5sMtww/+lsZ8+oQswqK0hIXfzifwuSYxoTAmdqPL3xXTJ
1Q87rUQaR3fvPCYKAAAAAAAA
--------------ms080904020209090808040103--
0
Robert
12/9/2008 12:17:11 AM
Just uploaded the certificate in DER and PEM file format.
It can be found here:
www.boraxx.nl/Mozilla/Thai.der
www.boraxx.nl/Mozilla/Thai.crt

The required CA chain can be found here:
www.boraxx.nl/Mozilla/ChainUCAcert.pem
0
michael
12/9/2008 9:55:31 AM
michael@vandersman.org wrote, On 2008-12-09 01:55:
> Just uploaded the certificate in DER and PEM file format.
> It can be found here:
> www.boraxx.nl/Mozilla/Thai.der
> www.boraxx.nl/Mozilla/Thai.crt

The CN and OU attributes in that cert, which (as I understand it) you
have said are UTF8 strings, are not encoded as UTF8 strings.  That is,
the DER encoding in the certificate does not say they are UTF8 strings.
It says they are Teletex strings.  This is an improper encoding for
UTF8 strings.

They do indeed appear to be UTF8 strings.  The two strings are identical,
each containing 4 UTF8 characters, each of which occupies 3 bytes.
0
Nelson
12/9/2008 6:18:37 PM

Nelson B Bolyard-2 wrote:
> 
> michael@vandersman.org wrote, On 2008-12-09 01:55:
> Just uploaded the certificate in DER and PEM file format.
> It can be found here:
> www.boraxx.nl/Mozilla/Thai.der
> www.boraxx.nl/Mozilla/Thai.crt
> 

To generate cert with UTF8 attrs from cmd line (openssl(1)):
- set "string_mask = MASK:0x2002" in openssl.cnf
- add "-utf8" flag in "openssl req" when generating cert request

To generate cert with UTF8 attrs programmatically (ssl(3)):
- use MBSTRING_UTF8 encoding in
X509_NAME_ENTRY_create_by_NID/X509_NAME_add_entry_by_NID and the friends

To check that the attrs of the resulted cert have correct encoding
# openssl asn1parse -in <yourcert>


-----
-- Andrei Korostelev
-- 
View this message in context: http://www.nabble.com/UTF8-support-in-the-Firefox-certificate-store--tp20870628p21541907.html
Sent from the Mozilla - Cryptography mailing list archive at Nabble.com.

0
Andrei
1/19/2009 12:19:26 PM
Reply: